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1 Introduction 


This paper carefully guides the reader through the steps of a formal specification and verification 
of the requirements for a simple system — an airline reservation system. This paper is intended for 
the novice and is tutorial in nature. The goal is to explore a few important techniques and concepts 
by way of example rather than to discuss interesting research issues. 

This tutorial is intended to be used while one is sitting at a computer terminal. Therefore, 
general discussions are limited to a few introductory comments. However, the commentary about 
the example problem is extensive. The reader is referred to [1] for a detailed discussion about 
contemporary issues in formal methods research. 

This tutorial presents the techniques of formal specification and verification in the context 
of the Prototype Verification System (PVS) developed by SRI International [2]. No specialized 
knowledge of logic or computer science is assumed, though it is necessary for the reader to have 
the PVS documentation [3, 4, 5] in order to effectively use this tutorial. The tutorial also assumes 
that the reader is familiar with Emacs, the text editor the serves as a front-end to the PVS system. 

1.1 Some Preliminary Concepts 

The requirements specification or high-level design of many systems can be modeled as a state 
machine. This involves the introduction of an abstract representation of system state and a set of 
operations that operate on the system state. These operations transition a system from one state 
to another in response to external inputs. 

The development of a state machine representation of the system requires the development 
of a suitable collection of type definitions with which to build the state description. Additional 
types, constants, and functions are introduced as needed to support subsequent formalization of the 
operations. Operations on the state are defined as functions that take the system from one state to 
another or, more generally, as mathematical relations. Many times an invariant to the system state 
is provided to formalize the notion of a “well-defined” system state. The invariant is shown to hold 
in the presence of an arbitrary operation on the state assuming that the invariant holds before the 
operation begins. Other desired properties may be expressed as predicates over the system state 
and operations, and can be proved as putative theorems that follow from the formalization. 

1.2 Statement of The Example Problem 

In the next sections we will demonstrate some of the techniques of formal specification and verifica- 
tion by way of an example — an automated airline seat assignment system that meets the following 
informal requirements: 

1. The system shall make seat assignments for passengers on scheduled airline flights. 

2. The system shall maintain a database of seat assignments. 

3. The system shall support a fleet having different aircraft types. 

4. Passengers shall be allowed to specify preferences for seat type (e.g., window or aisle). 

5. The system shall provide the following operations or transactions: 

• Make a new seat assignment 

• Cancel an existing seat assignment 
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This example problem was derived from an Ehdm specification presented by Ben Di Vito at the 
Second NASA Formal Methods Workshop [6]. 

2 Formal Specification of the Reservation System 

This section provides a step-by-step elaboration of the process one goes through in developing a 
formal specification of the example system. Much of the typing required to carry out this exer- 
cise can be reduced by retrieving the specifications from airl6.larc.nasa.gov using anonymous 
FTP. The specifications are located in the directory pub/fra/larc/PVS-tutorial in a file named 
plane-reservation-sys . dmp. 

2*1 Creating Basic TYPE Definitions 

We begin our formal specification by creating some names for the objects that our formal speci- 
fication will be describing. We obviously will be talking about seats in an airplane and will need 
a way to identify a particular seat. We decide to represent an airplane’s seating structure as a 
two-dimensional array of “rows” and “positions”. In PVS one writes 

row: TYPE 

position: TYPE 

to define the two domains of values. Of course this specification says nothing about what kind of 
value “row” or “position” could be. We decide to number our rows and positions with positive 
natural numbers. This is illustrated in figure 1. Of course we really don’t need an infinite set of 

position 



Figure 1: Model of Seating Arrangement In An Airplane 

numbers since we know the largest airplane in our fleet, and thus we assume the existence of two 
constants that delineate the maximum number of rows in any airplane and the maximum number 
of positions for any row: 

nrows: posnat X Max number of rows 

nposits: posnat % Max number of positions per row 
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We now modify our specification of “row” and “position”: 

row: TYPE * {n: posnat I 1 <= n AND n <* nrows} 

position: TYPE ■ {n: posnat I 1 <* n AND n <* nposits> 

This defines row and position as subranges of the positive naturals (called posnat in PVS). The 
notation is very simple. The text before the I defines the parent type and the text after the I gives 
a predicate that defines the particular subset of the parent type that you are interested in. Thus, 
row is any positive natural number between 1 and nrows inclusive. 

2.2 Creating a PVS Specification File 

We now put these together in a file. We start up PVS and type M-x nf . PVS asks for a name for 
the new file. We answer “basic.defs .pvs”. PVS creates the following file: 

basic.defs '/, [ parameters ] 

: THEORY 


BEGIN 


X ASSUMING 

'/, assuming declarations 
X ENDASSUMING 


END basic.defs 

We remove all of the text after the % characters, and then add our type definitions 1 : 

basic.defs: THEORY 
BEGIN 

nrows: posnat '/, Max number of rows 

nposits: posnat X Max number of positions per row 


row: TYPE = {n: posnat | 1 <= n AND n <- nrows} 

position: TYPE * {n: posnat I 1 <= n AND n <= nposits} 
END basic.defs 


We now issue the PVS typecheck command, M-x tc. PVS responds “basic-defs typechecked 
in 0 seconds. No TCCS generated”. 

We now need to define some other types that define the flight number, aircraft type, a position 
preference (e.g. aisle or window) and an identifier for passengers: 


flight: TYPE 
plane: TYPE 
preference: TYPE 
passenger: TYPE 


X Flight identifier 
X Aircraft type 
X Position preference 
X Passenger identifier 


We add this text to our file and typecheck again. 

1 The only remaining keywords are THEORY, which delineates the start of a new module, and the BEGIN END 
keywords, which surround the body of the specification. 
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2.3 Definition of the Reservation System Database 

We are ready to define the database that will maintain all of the reservations. For each flight, the 
system must maintain a set of seat assignments. We decide to represent each seat assignment as a 
record that contains a passenger and his assigned seat. This can be formally represented in PVS 
using the record constructor: 

seat.. assignment : TYPE » [# seat: [row, position], 

pass: passenger #] 

The seat field of the record is of type [row, position], an ordered pair (or 2-tuple) of row 
and position. The entire set of seat assignments for a flight can be represented using PVS’s set 
constructor, set. 

f light . assignment s : TYPE * set [seat .assignment] 

This defines a set type that contains only elements of type seat_assignment and assigns it the 
name flight .assignments. Sets are defined in the PVS prelude, which can be displayed using the 
M-x vpf command. The sets module provides definitions for the basic set operations. Some of 
these operations are described in table 1. 


operation 

traditional notation or meaning 

member 

e 

union 

u 

intersection 

n 

difference 

\ 

add 

add element to a set 

singleton 

constructs set with 1 element 

subset? 

C 

emptyset 

0 


Table 1: A partial list of PVS set operations 

The complete flight-reservation database can now be modeled as a mapping from flight identifier 
into that flight’s current set of seat assignments: 

assn.state: TYPE » funct ion [flight -> flight. assignments] 

Initially, each flight has no assignments: 

fit: VAR flight 

initial.state: function [flight -> flight .assignments] = 

(LAMBDA fit: emptyset [seat. assignment] ) 

We add this to our specification and typecheck it. 

2.4 Aircraft Seat Layout 

Since there is a maximum number of rows and seats per row, we must indicate whether a (row, 
position) pair exists for a given aircraft type. This can be accomplished through use of several 
functions that are uniquely defined for different plane types: 
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seat_exists: function [plane, [row, position] -> bool] 
meets.pref : function [plane, [row, position], preference -> bool] 

Since we do not want to restrict our specification to any particular plane type, we do not supply 
a definition (i.e., a function body) for these functions. They are left “uninterpreted.” The in- 
tended meaning of these functions are as follows. The function seat.exists is true only when the 
indicated seat (i.e. [row, posit ion] ) is physically present on the indicated airplane. The func- 
tion meets-pref specifies whether the particular seat is consistent with the particular preference 
indicated. The type of airplane assigned to a particular flight is given by the aircraft function: 

aircraft: function [flight -> plane] 

The description of the basic attributes of the system is now complete. The specification is: 

basic.defs: THEORY 
BEGIN 

nrows: posnat ’/. Max number of rows 

nposits: posnat '/, Max number of positions per row 

row: TYPE = {n: posnat I 1 <= n AND n <= nrows} 

position: TYPE ■ {n: posnat I 1 <= n AND n <= nposits} 


flight: TYPE 
plane : TYPE 
preference : TYPE 
passenger: TYPE 


'/, Flight identifier 
'/, Aircraft type 
'/, Position preference 
7, Passenger identifier 


seat .assignment : TYPE = [# seat: [row, position], 

pass: passenger #] 


f light. as s ignment s : TYPE * set [seat.assignment] 
assn.state: TYPE = function [flight -> flight .assignments] 


fit: VAR flight 

initial.state : function [flight -> flight.assignments] * 
(LAMBDA fit: emptyset [seat.assignment]) 


•/ t = --- B S- = -- ss!==a SBBBSBSSSBBBBBBSBBBBBBBBSBBSBBBBSBSBSSSSSSSSBBBBBBBBBB 

7, Definitions that define attributes of a particular airplane 


X « 


seat.exists: function [plane, [row, position] -> bool] 
meets.pref: function [plane, [row, position], preference -> bool] 
aircraft: function [flight -> plane] 


END basic.defs 
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2.5 Specifying Operations on the Database 

Our method of formally specifying operations is based on the use of state transition functions. The 
function defines the value of system state after invocation of the operation in terms of the system 
state before the operation is invoked. 

To produce a modular specification, we will place the operations in a new theory (i.e. a new 
module). This is accomplished in PVS by using the M-x nt command. We issue this command 
and name the new theory ops. All of the definitions of the basic_defs theory are made available 
to this theory using the IMPORTING command: 

ops: THEORY 
BEGIN 

IMPORTING basic.defs 
END ops 

2.6 Seat Assignment Operations 

The first operation that we need is Cancel_assn(flt ,pas), which cancels the seat assignment for 
a passenger, pas, on flight fit: 

fit: VAR flight 

pas : VAR passenger 

si: VAR assn.state 

a,b: VAR seat .assignment 

Cancel.assn: function [flight, passenger, assn.state -> assn.state] = 

(LAMBDA fit, pas, si: 

si WITH [(fit) := {a | member (a, si (fit)) AND pass(a) /= pas}] ) 

This specification uses the PVS WITH construct. The WITH expression is used to define a new 
function that differs from another function for a few indicated values. For example, f WITH [(1) := 
y] is identical to f, except possibly for f(l) 2 . Thus, all seat assignment sets for flights other than fit 
are unchanged. For flight fit, however, all assignments on behalf of passenger pas are removed 
(there should be at most one). As discussed earlier (i.e. see table 1), the function member is defined 
in the sets module of the PVS prelude. 

The second operation is Make.assn(f It ,pas ,pref ) , which makes a seat assignment, if possible, 
for passenger pas on flight fit. There are two conditions that should prevent us from carrying out 
this operation on the reservation database 

1. when there is no seat available that meets the passenger’s specified preference 

2. when the passenger already has a seat on the plane 

Condition (1) can be expressed in PVS as follows: 

(FORALL seat: meets.pref (aircraft (fit) , seat, pref) 

IMPLIES (EXISTS a: member(a, as(flt)) 

AND seat (a) = seat))) 

2 The resulting function is not different if f(l) = y. 
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This states that all seats that meet the passenger’s preference (meets_pref (aircraft (fit) , seat , 
pref )) are already assigned to another passenger, i.e., there already exists a record a in the database 
with the specified seat. Note that PVS departs from the traditional dot notation (e.g. a. seat) 
and uses seat (a) to dereference the seat field of record a. We can supply a name, pref .filled 
for this condition as follows: 

as: VAR assn.state 

pref : VAR preference 

seat: VAR [row, posit ion] 

pref .filled: function [assn.state, flight, preference -> bool] ■ 

(LAMBDA as, fit, pref: 

(FORALL seat: meets.pref (aircraft (fit) , seat, pref) 

IMPLIES (EXISTS a: member(a, as(flt)) AND seat(a) = seat))) 

The first line gives the types of the arguments and result of the function. The key word LAMBDA 
is just syntax that means “the following text up to the colon are the formal arguments for this 
function. PVS also allows the following equivalent definition: 

pref.f illed(as , fit, pref): bool * 

(FORALL seat: meets.pref (aircraft (fit) , seat, pref) 

IMPLIES (EXISTS a: member(a, as(flt)) 

AND seat (a) = seat)) 

where the types of the function arguments are inferred from the variable declarations. 

The second condition (i.e., the passenger already has a seat on the plane) can be defined as 
follows: 


pass.on.f light : function [passenger, flight, assn.state -> bool] * 

(LAMBDA pas, fit, si: (EXISTS a: 

pass (a) ■ pas AND member(a,sl(flt)))) 

We are now ready to define the operation that assigns a passenger to a particular flight, 
Make-assn: 

Make.assn: function [flight , passenger, preference, assn.state 

-> assn.state] = 

(LAMBDA fit, pas, pref, si: 

IF pref.f illed(sl, fit, pref) OR 

pass.on.f light (pas , fit, si) THEN si 
ELSE 

(LET a * (# seat :» Next_seat(sl,flt,pref) , 
pass : s pas #) IN 

si WITH [(fit) :■ add(a, sl(flt))]) 

ENDIF) 

In this specification, if either of the two anomalous conditions is true, the database is not changed. 
The ELSE clause defines what happens otherwise. This clause uses PVS’s LET construct. The 
LET statement allows one to assign a name to a subexpression. This is especially useful when a 
subexpression is used multiple times in an expression. In our case, the subexpression a only occurs 
once — in the subexpression add(a, si (fit)), which creates a new set by adding the element a to 
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the set si (fit). The LET is used here to make the complete expression easier to read. The value 
of the LET variable a is defined using a record constructor, i.e. (# ... #). In this case, the pass 
field is set equal to the formal parameter pas, and the seat field of the record is updated with the 
result from another function, Next_seat: 

Next.seat: function [assn. state, flight, preference -> [row, position]] 

This function selects the next seat to be given a passenger from all of the available seats. Any 
number of algorithms can be imagined that would make this selection, e.g. the seat with the lowest 
row and position number available. However, since this is a high-level specification, we decide to 
leave the particular selection algorithm unspecified. Thus, we do not define a body for this function 
and leave it as an “uninterpreted” function. Nevertheless, we will need a general property about 
this function in order for one of our proofs to go through 3 . We define this property with an axiom: 

Next.seat. ax: AXIOM NOT pref .f illed(sl , fit, pref) IMPLIES 
seat. exists (aircraft (f It) ,Next_seat (si ,flt ,pref )) 

This axiom states that if a seat is available that matches the specified preference, then the function 
Next-seat returns a [row, position] that actually exists on the airplane scheduled for flight fit. 

Now that we have defined the operations, we are faced with the question, “How do we know that 
the operations were specified correctly?” One approach to this problem is to construct “putative” 
theorems. These are properties about the operations that should be true if we have defined them 
properly. For example, 

Make. Cancel : THEOREM NOT pass.on.f light (pas, fit, si) *> 

Cancel_assn(flt,pas,Make_assn(flt,pas,pref ,sl)) ■ si 

This states that if a particular passenger is not already assigned to a flight, then the result of 
assigning that passenger to a flight and then canceling his reservation will return the database to 
its original state 4 . The process of attempting to prove such theorems can lead to the discovery of 
errors in the specification. The proof of this theorem will be given in a later section. Some other 
examples are: 

Cancel. putative : THEOREM 

NOT (EXISTS (a: seat. assignment) : 

member(a, Cancel. assn(flt, pas, sl)(flt)) AND pass(a) = pas) 

Make. putative : THEOREM NOT pref .f illed(sl , fit, pref) => 

(EXISTS (x: seat.assignment) : 

member(x, Make.assn(f It , pas, pref, si) (fit)) AND pass(x) * pas) 

2.7 Specifying Invariants On the State Of tlie Database 

The system state is subject to three types of anomalies: 

1. Assigning nonexistent seats to passengers 

2. Assigning multiple seats to a single passenger 

3 The need for this property was not apparent until the proofs were in progress. 

4 We have used the alternate PVS syntax for logical implies: •>. 
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3. Assigning more than one passenger to a single seat 

Prevention of anomaly (1) can be formalized as follows: 

existence: funct ion [assn.state -> bool] ■ 

(LAMBDA as: (FORALL a, fit: member (a, as (fit)) IMPLIES 
seat_exists(aircraft(flt) , seat(a)))) 

Prevention of anomaly (2) can be formalized as follows: 

uniqueness: function [assn.state -> bool] * 

(LAMBDA as: (FORALL a,b,flt: 

member(a, as(flt)) AND member(b, as(flt)) 

AND pass (a) = pass(b) IMPLIES a = b)) 

Prevention of anomaly (3) can be formalized as follows: 

one_per_seat : function[assn_state -> bool] ■ 

(LAMBDA as: (FORALL a,b,flt: member(a, as(flt)) AND member(b, as(flt)) 

AND seat (a) = seat(b) IMPLIES a * b)) 

The overall state invariant is the conjunction of the three. However, in order to simplify the dis- 
cussion we will work with the first two and leave the last invariant as an exercise 5 . The conjunction 
of the first two can be captured in a single function as follows: 

assn_ invariant : function [assn.state -> bool] » 

(LAMBDA as: existence(as) AND uniqueness (as)) 

2.8 PVS Typechecking and Typecheck Conditions (TCCs) 

We combine the definitions for the operations and the invariants in a new theory called ops: 
ops: THEORY 

BEGIN 

IMPORTING basic.defs 

fit: VAR flight 

pas: VAR passenger 

as, si: VAR assn.state 

a,b,x: VAR seat.assignment 

pref : VAR preference 

seat: VAR [row, posit ion] 

Cancel. assn: function[f light, passenger, assn.state -> assn.state] ■ 

(LAMBDA fit, pas, si: 

si WITH [(fit) :* {a | member(a,sl(flt)) AND pass(a) /■ pas}]) 


5 It is the easiest of the three invariants. 
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pref. filled: function [assn.state, flight, preference -> bool] « 

(LAMBDA as, fit, pref: 

(FORALL seat: meets.pref (aircraft (fit) , seat, pref) 

IMPLIES (EXISTS a: member(a, as(flt)) 

AND seat (a) = seat))) 

Next.seat: function [assn_state, flight, preference -> [row, position]] 

Next.seat.ax : AXIOM NOT pref _f illed(sl , fit, pref) IMPLIES 
seat.exists (aircraft (fit) ,Next_seat(sl .fit .pref )) 

pass_on_f light : function [passenger , flight, assn.state -> bool] = 

(LAMBDA pas, fit, si: (EXISTS a: 

pass(a) = pas AND member(a,sl(flt)))) 

Make.assn: function [flight, passenger, preference, assn.state 

-> assn.state] = 

(LAMBDA fit, pas, pref, si: 

IF pref.f illed(sl , fit, pref) OR 

pass.on.f light (pas ,flt ,sl) THEN si 
ELSE 

(LET a = (# seat := Next_seat(sl,flt,pref ) , 
pass := pas #) IN 

si WITH [(fit) := add(a, sl(flt))]) 

ENDIF) 


Invariants 


existence: function [assn.state -> bool] = 

(LAMBDA as: (FORALL a, fit: member(a, as(flt)) IMPLIES 

seat.exists (aircraft (fit) , seat (a)))) 

uniqueness: function [assn.state -> bool] * 

(LAMBDA as: (FORALL a,b,flt: 

member(a, as(flt)) AND member(b, as(flt)) 

AND pass (a) = pass(b) IMPLIES a = b)) 

assn.invariant : function [assn.state -> bool] = 

(LAMBDA as: existence (as) AND uniqueness (as)) 

Cancel.assn.inv: THEOREM assn.invariant (si) 

Implies assn. invariant (Cancel_assn(f It ,pas, si)) 

MAe: THEOREM existence(sl) 

IMPLIES existence (Make_assn(f It ,pas ,pref , si) ) 
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MAu: THEOREM uniqueness (si) 

IMPLIES uniqueness (Make_assn(f It, pas, pref , si)) 
Make.assn.inv: THEOREM assn_invariant(sl) »> 

assn.invariant (Make. assn (fit ,pas ,pref , si) ) 

Make.Cancel: THEOREM NOT pass.on.f light (pas, fit, si) => 

Cancel_assn(flt ,pas ,Make_assn(flt , pas, pref ,sl)) ■ si 


END ops 

When we issue the M-x tc command we notice that the system responds ops typechecked: 
2 TCCs, 0 Proved, 0 subsumed, 2 unproved. Unlike many high-level programming languages, 
PVS often requires theorem proving in order to guarantee that the specification is type correct. 
This is the price one has to pay for the very powerful type structure of the language. 

M-x show-tccs opens up a window that displays the typecheck obligations: 

'/, Existence TCC generated for row 
X unproved 

Next .seat. TCC 1: OBLIGATION (EXISTS (xl: posnat) : 1 <= xl AND xl <= nrows) 

7, Existence TCC generated for position 
X improved 

Next.seat.TCC2: OBLIGATION (EXISTS (xl: posnat): 1 <= xl AND xl <« nposits) 

We position the cursor on the first obligation and type M-x pr. The PVS system responds by 
opening up a proof buffer containing the following output: 


Next.seat.TCCl : 


{1} (EXISTS (xl: posnat): 1 <« xl AND xl <= nrows) 

The system wants us to prove that there exists a positive natural number between 1 and nrows. 
We suggest that number 1 is such a number using the INST command. 

Rule? (inst 1 "1") 

Instantiating the top quantifier in 1 with the terms: 

1 

this simplifies to: 

Next.seat.TCCl : 

I 

{1} 1 <■ 1 AND 1 <* nrows 

We then tell the theorem prover that we think we have a proof via the ASSERT command: 


Rule? (assert) 

Invoking decision procedures, 
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Q.E.D. 


Run time ■ 1.28 secs. 

Real time = 25.15 secs. 

MIL 

The prover agrees and responds Q.E.D. The same two commands prove the other obligation as 
well. The use of the theorem prover will be explored in more detail in the next section. 

There is an alternative way to deal with these TCC obligations— through use of the PVS 
CONTAINING clause. Both of these proofs only needed the existence of a member of the user-defined 
subtype. The CONTAINING clause enables one to affirm such a member in the specification: 

row: TYPE = {n: posnat | 1 <= n AND n <= nrows} CONTAINING 1 
position: TYPE = {n: posnat I 1 <= n AND n <= nposits} CONTAINING 1 

If row and position are defined in this manner, the generated TCCs are automatically proven 
using the command H-x tcp. 

3 Formal Verifications 

In this section we will walk-through the mechanical verification of the invariant properties discussed 
previously. 

To establish that the state invariant is preserved by every operation, we must prove theorems 
of the form: 

/(5i) D I(opj>pec(Sj)) 

where Si is the state before the operation and / represents the state invariant. Note that op_spec(Sj) 
is the state of the system after the operation. For our example, the required theorems can be ex- 
pressed as follows: 

Cancel_assn_inv : THEOREM assn_ invariant (si) 

Implies assn_invariant(Cancel_assn(flt,pas,s 1» 

Make_assn_inv: THEOREM assn_ invariant (si) => 

assn_ invariant (Make_assn(f It ,pas ,pref , si) ) 

3.1 Proof that Cancel_assn Maintains the Invariant 

Although it is almost always advisable to search for a proof before engaging the theorem prover, 
the prover can be useful in the discovery of the proof. We shall use this approach on this example, 
since the theorem is shallow and not hard to understand. This section is meant to guide the PVS 
novice through his first non-trivial use of the theorem prover. The goal is to gain some familiarity 
with the capabilities of the system so that further reading in the user manuals is more productive. 
The proofs given in this tutorial are by no means the best way of proving these theorems. They 
were performed with the goal of walking the user through a large number of the PVS commands. 

The user begins a proof session by positioning the cursor on a proof and typing M-x pr. The 
system responds with: 
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Cancel.assn.inv : 


I 

{1} (FORALL (fit: flight), (pas: passenger), (si: assn.state) : 

assn_invariant(sl) IMPLIES assn_invariant(Cancel_assn(flt, pas, si))) 


The user then issues commands that manipulate the formula using truth-preserving operations. 
The goal, of course, is to simplify the formula to the point where the prover can identify the 
formula as a tautology (i.e. and thus a theorem). The user input in this paper can be identified 
by the rule? prompt. All of the inputs in this tutorial are only one line. Although PVS allows 
commands to be entered in either lower or upper case, we will use upper-case letters exclusively to 
enhance readability. 

The first thing that one usually does when proving a formula containing quantifiers (i.e. FORALLS 
or EXISTS) is to remove them. This is necessary because many of the PVS commands are only 
effective when the quantifiers have been removed. There axe two basic strategies for removing 
quantifiers: skolemization and quantification. Some situations require skolemization and others 
require quantification. In this case we need to skolemize formula [l] 6 . In PVS this is accomplished 
using the SKOLEM command: 

Rule? (SKOLEM 1 ("Fit" "Pas" "SI")) 

For the top quantifier in *, we introduce Skolem constants: (Fit Pas SI) 
this simplifies to: 

Cancel_assn_inv : 

I 

{!> assn_invariant(Sl) IMPLIES assn_invariant(Cancel_assn(Flt, Pas, SI)) 


The first parameter of the SKOLEM command (i.e., 1,) specifies which formula the command should 
be applied to 7 . Note that the list of skolem names are enclosed in parentheses as well as the 
complete command itself. 

Clearly, no progress can be made until the meaning of “assn invariant” is exposed to the prover. 
This is done through use of the EXPAND command, i.e. (EXPAND "assn_invariant"). The system 
responds as follows: 

Rule? (EXPAND "assn.invariant") 

Expanding the definition of assn. invariant 
this simplifies to: 

Cancel. assn.inv : 

I 

{1} existence(Sl) AND uniqueness (SI) 

IMPLIES existence(Cancel_assn(Flt, Pas, SI)) 

AND uniqueness (Cancel_assn(Flt , Pas, SI)) 


®The basic idea of skolemization is that a formula like Vx : P(x) which asserts the validity of a predicate P for an 
arbitrary value of x, is equivalent to P(a) where a is a previously unused constant. 

7 In this case there is only one available formula. Later we shall encounter sequents with several formulas. 
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We then proceed to expand with definitions of existence, uniqueness and Cancel_assn: 


Rule? (EXPAND "existence") 

Expanding the definition of existence 
this simplifies to: 

Cancel. assn. inv : 


{1} (FORALL (a: seat. assignment) , (fit: flight): 

member(a, Sl(flt)) IMPLIES seat. exists (aircraft (f It) , seat(a))) 
AND uniqueness (SI) 

IMPLIES 

(FORALL (a: seat. assignment) , (fit: flight): 
member (a, Cancel. assn(Flt , Pas, SI) (fit)) 

IMPLIES seat. exists (aircraft (fit) , seat(a))) 

AND uniqueness (Cancel. assn(Flt , Pas, SI)) 

Rule? (EXPAND "uniqueness”) 

Expanding the definition of uniqueness 
this simplifies to: 

Cancel. assn. inv : 


{1} (FORALL (a: seat. assignment) , (fit: flight): 

member(a, Sl(flt)) IMPLIES seat. exists(aircraft (fit) , seat(a))) 

AND 

(FORALL (a: seat. assignment) , (b: seat. assignment) , (fit: flight): 
member(a, Sl(flt)) AND member(b, Sl(flt)) AND pass(a) = pass(b) 
IMPLIES a = b) 

IMPLIES 

(FORALL (a: seat .assignment) , (fit: flight): 
member (a, Cancel. assn(Flt , Pas, Si) (fit)) 

IMPLIES seat.exists (aircraft (fit) , seat (a))) 

AND 

(FORALL (a: seat .assignment) , (b: seat. assignment) , (fit: flight) 
member(a. Cancel. assn(Flt , Pas, SI) (fit)) 

AND member(b. Cancel. assn(Flt , Pas, Sl)(flt)) 

AND pass(a) = pass(b) 

IMPLIES a = b) 

Rule? (EXPAND "Cancel. assn") 

Expanding the definition of Cancel. assn 
this simplifies to: 

Cancel. assn.inv : 

I — 

{1} (FORALL (a: seat. assignment) , (fit: flight): 

member(a, Sl(flt)) IMPLIES seat.exists (aircraft (f It) , seat(a))) 
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AND 

(FORALL (a: seat .assignment) , (b: seat.assignment) , (fit: flight): 
member(a, Si(flt)) AND member(b, Sl(flt)) AND pass(a) * pass(b) 
IMPLIES a = b) 

IMPLIES 

(FORALL (a: seat.assignment), (fit: flight): 
member (a, 

SI 

WITH [Fit := 

{a: seat.assignment I 

member(a, Sl(Flt)) AND pass(a) /= Pas}] (fit)) 

IMPLIES seat.exists (aircraft (fit) , seat (a))) 

AND 

(FORALL (a: seat.assignment), (b: seat.assignment), (fit: flight): 
member (a, 

SI 

WITH [Fit := 

{a: seat.assignment | 

member(a, Sl(Flt)) AND pass(a) /* Pas}] (fit)) 

AND 

member (b, 

SI 

WITH [Fit := 

{a: seat.assignment I 

member(a, Sl(Flt)) AND pass(a) /■ Pas}] (fit)) 

AND pass(a) * pass(b) 

IMPLIES a = b) 

We note that the function member appears in several places in the formula. Although this function 
is defined in the PVS prelude I * * * * * * 8 , it must still be expanded in order for PVS to know what it means: 

Rule? (EXPAND "member") 

Expanding the definition of member 
this simplifies to: 

Cancel.assn.inv : 

I 

<1} (FORALL (a: seat.assignment), (fit: flight): 

Sl(flt)(a) IMPLIES seat_exists(aircraft(flt) , seat(a))) 

AND 

(FORALL (a: seat.assignment), (b: seat.assignment), (fit: flight): 

SI (fit) (a) AND SI (fit) (b) AND pass(a) = pass(b) IMPLIES a ■ b) 
IMPLIES 

(FORALL (a: seat.assignment), (fit: flight): 

Si 

WITH [Fit :« 

{a: seat.assignment I Sl(Flt)(a) AND pass(a) /■ Pas}] (fit) (a) 
'Can be inspected by typing M-x vpf . 
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IMPLIES seat.exists (aircraft (fit) , seat(a))) 

AND 

(FORALL (a: seat_assignment) , (b: seat .assignment) , (fit: flight): 

SI 

WITH [Fit := 

{a: seat.assignment I Sl(Flt)(a) AND pass(a) /= Pas}] (f It) (a) 
AND 
SI 

WITH [Fit := 

{a: seat.assignment I 

Sl(Flt) (a) AND pass(a) /= Pas}] (fit) (b) 

AND pass(a) = pass(b) 

IMPLIES a = b) 

Notice that member(a,Sl (f It) ) has been changed to Sl(flt)(a). This looks funny at first, but 
it is correct. In PVS, sets are represented as functions that map from the domain type of the set 
into boolean. This boolean- valued function is true only for members of the set, i.e. S(x) is true if 
and only if x € S. 

We are now ready to issue a useful command that breaks up formulas in a sequent into smaller 
more tractable pieces: FLATTEN: 

Rule? (FLATTEN) 

Applying disjunctive simplification to flatten sequent, 
this simplifies to: 

Cancel.assn.inv : 

{-1} (FORALL (a: seat.assignment), (fit: flight): 

Sl(flt)(a) IMPLIES seat.exists (aircraft (fit) , seat(a))) 

{-2} (FORALL (a: seat.assignment), (b: seat.assignment), (fit: flight): 
si (fit) (a) AND Sl(flt) (b) AND pass (a) = pass(b) IMPLIES a = b) 


-[1} (FORALL (a: seat.assignment), (fit: flight): 

SI 

WITH [Fit := 

{a: seat.assignment | Sl(Flt)(a) AND pass(a) /= Pas}] (fit) (a) 
IMPLIES seat_exists(aircraft(flt) , seat(a))) 

AND 

(FORALL (a: seat.assignment), (b: seat.assignment), (fit: flight): 

Si ,r i"-". : , 

WITH [Fit :* 

{a: seat.assignment I SI (Fit) (a) AND pass(a) /= Pas}] (fit) (a) 
AND 
SI 

WITH [Fit :* 

{a: seat.assignment | Sl(Flt)(a) AND pass(a) /= Pas}] (fit) (b) 
AND pass (a) * pass(b) 

IMPLIES a = b) 

This is a probably a good place to discuss in more detail the nature of a “sequent”. The system 
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has broken the formula into three separate formulas labeled “{-1}, {-2}” and “{1}” separated by 
a horizontal line. The basic idea is that all of the formulas labeled with positive numbers logically 
follow from the formulas labeled with negative numbers. More precisely, the conjunction of the 
antecedent (i.e. negative) formulas logically implies the disjunction of the consequent (i.e. positive) 
formulas. In this instance we have: 


{ — 1} A { - 2} = = > {1} 


We now notice that formula {1} is the conjunction (i.e. AMD) of two formulas. In order for the 
formula to be true, each of these must separately be true. To reduce the amount of text that we 
have to think about at one time, it is helpful to break the proof into two separate steps. The PVS 
system lets us do this with the SPLIT command. 

Rule? (SPLIT 1) 

Splitting conjunctions, 
this yields 2 subgoals: 

Cancel_assn_inv. 1 : 

[-1] (FORALL (a: seat .assignment) , (fit: flight): 

SI (fit) (a) IMPLIES seat.exists (aircraft (fit) , seat (a))) 

[-2] (FORALL (a: seat .assignment) , (b: seat. assignment) , (fit: flight): 
Sl(flt) (a) AMD SI (fit) (b) AND pass (a) - pass(b) IMPLIES a * b) 

| 

{1} (FORALL (a: seat.assignment) , (fit: flight): 

SI 

WITH [Fit := 

{a: seat.assignment I Sl(Flt)(a) AND pass(a) /* Pas}] (fit) (a) 
IMPLIES seat.exists (aircraft (fit) , seat(a))) 

Notice that PVS responds with “Splitting conjunctions, this yields 2 subgoals :. We now 
have two sequents to prove. These are named Cancel.assn _inv. 1 and Cancel .assnJLnv. 2. The 
system automatically keeps track of what has been proved and what is still unfinished. After we 
finish proving Cancel _assn_inv. 1 the system will require us to prove Cancel_assn_inv.2 9 . 

Things are starting to look a bit more tractable. Since we still have universal quantifiers in 
formula {1}, we decide to skolemize it. This time we will use the SKOLEM! command. This tells the 
theorem prover to use any names that it likes. 

Rule? (SKOLEM! 1) 

For the top quantifier in 1, we introduce Skolem constants: (all flt!l) 
this simplifies to: 

Cancel.assn.inv. 1 : 

[-1] (FORALL (a: seat.assignment), (fit: flight): 

SI (fit) (a) IMPLIES seat.exists (aircraft (fit) , seat (a))) 

[-2] (FORALL (a: seat.assignment), (b: seat.assignment), (fit: flight): 

SI (fit) (a) AND Si (fit) (b) AND pasB(a) « pass(b) IMPLIES a ■ b) 

, 

’Only one of the subgoals is displayed by the system at a time. The PVS command POSTPONE can be used to 
switch to another subgoal. 
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{1} si 


WITH [Fit := 

{a: seat .assignment I Sl(Flt)(a) AND pass(a) /= Pas}] (f It ! 1) (a! 1) 
IMPLIES seat.exists (aircraft (fit 1 1) , seat(a!l)) 

As we can see, the prover chose names a! 1 and fit! 1. This is not our first choice in names, but 
at least this approach saved some typing. It also has the advantage that the name of the original 
quantified variable is easily retrieved from the skolem name. 

We notice that formula [-1] almost implies formula {1} (that is, after substituting a!l and 
fltll for the universal (i.e. FORALL) variables). The only difference is that in formula {1} the 
function SI is slightly modified — the value of SI (Fit) has been changed. We would like to deal 
with this case separately. This is accomplished by using the CASE command: 

Rule? (CASE "Fit * fltll") 

Case splitting on 
Fit = fltll, 

this yields 2 subgoals: 

Cancel_assn_inv. 1 . 1 : 

{-1} Fit = fltll 

[-2] (FORALL (a: seat .assignment) , (fit: flight): 

SI (fit) (a) IMPLIES seat.exists (aircraft(flt) , seat(a))) 

[-3] (FORALL (a: seat .assignment) , (b: seat .assignment) , (fit: flight): 

Sl(f It) (a) AND SI (fit) (b) AND pass (a) = pass(b) IMPLIES a = b) 

| 

[1] SI 

WITH [Fit := 

{a: seat .assignment I SI (Fit) (a) AND pass(a) /= Pas}] (fit! 1) (a! 1) 
IMPLIES seat.exists (aircraft (fit 1 1) , seat(all)) 

PVS responds with Case splitting on Fit = fltll, this yields 2 subgoals. In one of the 
subgoals, Fit = fltll is put on the antecedent list and NOT Fit = fltll is put on the other 
list. PVS will actually move the NOT formula to the consequent side and remove the NOT. This is 
logically equivalent. We now have three sequents to deal with. However, each of these are simpler 
to prove than the original one. 

We now issue the ASSERT command. This command invokes the PVS decision procedures to 
analyze the sequent. When there are no quantifiers left around and the formulas have been reduced 
to the point where simple propositional reasoning is adequate, ASSERT will automatically finish off 
the proof. In this case, we still have quantifiers on the antecedent side of the sequent, and ASSERT 
does not finish the job. Nevertheless, ASSERT does simplify the sequent for us: 

Rule? (ASSERT) 

Invoking decision procedures, 
this simplifies to: 

Cane el .assn. inv. 1 . 1 : 

[-1] Fit -fltll 

[-2] (FORALL (a: seat.assignment) , (fit: flight): 

SI (fit) (a) IMPLIES Beat_exists(aircraft(flt) , seat (a))) 
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[-3] (FORALL (a: seat.assignment), (b: seat .assignment) , (fit: flight): 
Sl(flt)(a) AND Sl(flt)(b) AND pass(a) = pass(b) IMPLIES a * b) 

I- 

{1} Sl(Flt)(a!l) AND pass(a!l) /= Pas 

IMPLIES seat.exists (aircraft (fit ! 1) , seat(a!l)) 

Notice that the WITH structure has been collapsed in formula [1], As we noticed before, formula 
[-2] implies formula {1}, but it contains universally quantified (i.e. FORALL) variables that must be 
instantiated before the PVS decision procedures can effectively work with it. Thus we substitute 
a!l and fltll for the universal variables in [-2] . This is done in PVS using the INST command: 

Rule? (INST -2 "all" "Fit") 

Instantiating the top quantifier in -2 with the terms: 

(a! 1 Fit) 

this simplifies to: 

Cancel.assn.inv . 1 . 1 : 

[-1] Fit - fltll 

{-2} Sl(Flt) (all) IMPLIES seat.exists (aircraft (Fit) , seat(all)) 

[-3] (FORALL (a: seat .assignment) , (b: seat.assignment) , (fit: flight): 

SI (fit) (a) AND Sl(flt) (b) AND pass(a) = pass(b) IMPLIES a = b) 


[1] Sl(Flt)(a!l) AND pass(all) /= Pas 

IMPLIES seat.exists (aircraft (fit 1 1) , seat(all)) 

Formula [1] directly follows from [-1] and [-2], but we remember that PVS’s decision procedures 
often need formulas that contain an IMPLIES to be flattened. So we issue a FLATTEN command: 

Rule? (FLATTEN) 

Applying disjunctive simplification to flatten sequent, 
this simplifies to: 

Cancel.assn.inv . 1 . 1 : 

[-1] Fit = fltll 
{-2} SI (Fit) (a! 1) 

[-3] Sl(Flt)(a!l) IMPLIES seat.exists (aircraft (Fit) , seat(all)) 

[-4] (FORALL (a: seat.assignment), (b: seat.assignment), (fit: flight): 

SI (fit) (a) AND SI (fit) (b) AND pass(a) = pass(b) IMPLIES a « b) 

I 

{1} pass(a! 1) = Pas 

{2} seat.exists (aircraft (fit 1 1) , seat(all)) 

Now we issue the ASSERT command: 

Rule? (ASSERT) 

Invoking decision procedures, 
this simplifies to: 

Cancel.assn.inv. 1 . 1 : 

[-1] Fit « fltll 
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[-2] Si (Fit) (a! 1) 

[-3] (FORALL (a: seat .assignment) , (b: seat. assignment) , (fit: flight): 
Sl(flt) (a) AND SI (fit) (b) AND pass(a) = pass(b) IMPLIES a = b) 


[1] pass(a! 1) ■ Pas 

[2] seat_exists(aircraft(flt!l) , seat(a!l)) 

{3} TRUE 

which is trivially true. 

This completes the proof of Cancel.assn.inv . 1 . 1 . 

Cancel.assn.inv . 1 .2 : 

[-1] (FORALL (a: seat.assignment) , (fit: flight): 

Sl(flt)(a) IMPLIES seat_exists(aircraft(flt) , seat(a))) 

[-2] (FORALL (a: seat.assignment), (b: seat.assignment), (fit: flight): 

SI (fit) (a) AND SI (fit) (b) AND pass(a) = pass(b) IMPLIES a = b) 

I — 

{1} Fit * fit ! 1 
[2] SI 

WITH [Fit := 

{a: seat.assignment | SI (Fit) (a) AND pass(a) /= Pas)-] (f It ! 1) (a! 1) 
IMPLIES seat. exists ( aircraft (fit ! II) , seat (a! 1) ) 

PVS responds that CanceLassninv.l.i is trivially true and informs us that “this completes 
the proof of Cancel.assnJLnv . 1 . 1.” However, our joy is shortlived because PVS quickly re- 
minds us about Cancel.assn_inv. 1.2. We are optimistic and try ASSERT: 

Rule? (ASSERT) 

Invoking decision procedures, 
this simplifies to: 

Cancel.assn.inv. 1 .2 : 

[-1] (FORALL (a: seat.assignment), (fit: flight): 

Si (fit) (a) IMPLIES seat_exists(aircraft(flt) , seat(aJ5)“ 

[-2] (FORALL (a: seat.assignment), (b: seat.assignment), (fit: flight): 

SI (fit) (a) AND Sl(flt) (b) AND pass(a) = pass(b) IMPLIES a * b) 


[1] Fit = fltll 

{2} Sl(flt ! 1) (a! 1) IMPLIES seat_exists(aircraft(flt! 1) , seat(a!l)) 

Well, it was worth a try. The ASSERT command at least simplified formula {2} considerably. 
We remember that the PVS decision procedures do not like universal quantifiers and proceed to 
eliminate them with a INST command: 

Rule? (INST -1 "all" "fltll") 

Instantiating the top quantifier in -1 with the terms: 

(all fltll) 
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this simplifies to: 

Cancel_assn_inv.l.2 : 

{-1} Sl(flt ! 1) (a! 1) IMPLIES seat_exists(aircraft(flt!l) , seat(a!l)) 

[-2] (FORALL (a: seat.assignment), (b: seat.assignment), (fit: flight): 
SI (fit) (a) AND SI (fit) (b) AND pass(a) * pass(b) IMPLIES a « b) 

| 

[1] Fit * fit ! 1 

[2] Sl(flt ! 1) (a! 1) IMPLIES seat.exists (aircraft (fit ! 1) , seat(a!l)) 
which is trivially true. 

This completes the proof of Cancel_assn_inv. 1.2. 


This completes the proof of Cancel_assn_inv. 1 . 

Cancel_assn_inv.2 : 

[-1] (FORALL (a: seat.assignment), (fit: flight): 

Sl(flt)(a) IMPLIES seat_exists(aircraft(flt) , seat(a))) 

[-2] (FORALL (a: seat.assignment), (b: seat.assignment) , (fit: flight): 
Sl(f It) (a) AND Sl(flt) (b) AND pass(a) = pass(b) IMPLIES a - b) 


{1} (FORALL (a: seat.assignment), (b: seat.assignment), (fit: flight): 

SI 

WITH [Fit := 

{a: seat.assignment I SI (Fit) (a) AND pass (a) /* Pas }] (fit) (a) 

AND 

SI 

WITH [Fit := 

{a: seat.assignment | Sl(Flt)(a) AND pass(a) /= Pas}] (fit) (b) 
AND pass (a) = pass(b) 

IMPLIES a = b) 

PVS is satisfied that Cancel_assn_inv. 1 .2 is true and supplies us with Cancel.assnJ.nv. 2 which 
is left from our earlier SPLIT command. As usual we begin by removing the quantifiers with a 
SKOLEM command: 

Rule? (SKOLEM 1 ("AA" "B" "Flt2")) 

For the top quantifier in 1, we introduce Skolem constants: (AA B Flt2) 
this simplifies to: 

Cancel_assn_inv.2 : 

[-1] (FORALL (a: seat.assignment), (fit: flight): 

Sl(flt)(a) IMPLIES seat_exists(aircraft(flt) , seat (a))) 

[-2] (FORALL (a: seat.assignment), (b: seat.assignment), (fit: flight): 
Sl(flt) (a) AND Sl(flt) (b) AND pass(a) « pass(b) IMPLIES a - b) 
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I 

{1} SI 

WITH [Fit := 

{a: seat.assignment I SI (Fit) (a) AND pass(a) /= Pas}] (Flt2) (AA) 

AND 

SI 

WITH [Fit := 

{a: seat.assignment I SI (Fit) (a) AND pass (a) /= Pas}] (Flt2) (B) 

AND pass(AA) = pass(B) 

IMPLIES AA = B 

We can see that formula {1} is closely related to [-2] but is complicated because of the function 
modifications (i.e the WITH clauses). So we decide to use the same strategy as before, case split on 

Fit = Flt2: 

Rule? (CASE "Fit = Flt2") 

Case splitting on 
Fit = Flt2 , 

this yields 2 subgoals: 

Cancel_assn_inv . 2 . 1 : 

{-1} Fit = Flt2 

[-2] (FORALL (a: seat.assignment), (fit: flight): 

Sl(flt)(a) IMPLIES seat_exists(aircraft(flt) , seat(a))) 

[-3] (FORALL (a: seat .assignment) , (b: seat .assignment) , (fit: flight): 

SI (fit) (a) AND Sl(f It) (b) AND pass (a) = pass(b) IMPLIES a = b) 


[1] SI 

WITH [Fit := 

{a: seat.assignment I SI (Fit) (a) AND pass(a) /= Pas}] (Flt2) (AA) 

AND 

SI 

WITH [Fit :- 

{a: seat.assignment I SI (Fit) (a)^ND pass(a) /= Pas}] (Flt2) (B) 

AND pass(AA) = pass(B) 

IMPLIES AA * B 

We have two subgoals Cancel_assn_inv.2. 1 and Cancel_assn_inv.2.2. The system directs our 
attention to the . 1 formula. We issue an ASSERT command to collapse the WITH clauses in the 
presence of formula {-1}: 

Rule? (ASSERT) 

Invoking decision procedures, 
this simplifies to: 

Cancel_assn_inv.2. 1 : 

[-1] Fit - Flt2 

[-2] (FORALL (a: seat.assignment), (fit: flight): 

Sl(flt)(a) IMPLIES seat.exists (aircraft (fit) , seat(a))) 
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[-3] (FORALL (a: seat.assignment) , (b: seat.assignment) , (fit: flight): 
SI (fit) (a) AND SI (fit) (b) AND pass(a) * pass(b) IMPLIES a « b) 


{1> (Sl(Flt) (AA) AND pass(AA) /* Pas) 

AND (SI (Fit) (B) AND pass(B) /= Pas) AND pass(AA) = pass(B) 

IMPLIES AA = B 

We need to get rid of the FORALL quantifier in formula [-3]. First, we must decide whether a 
skolemization or quantification is required. Here is the basic rule: FORALL quantifiers in formulas 
on the antecedent side and EXISTS quantifiers on the consequent side must be instantiated using 
INST (or the equivalent command (QUANT). EXISTS quantifiers in formulas on the antecedent side 
and FORALL quantifiers on the consequent side must be skolemized 10 . Thus, we need to use a INST 
command: 

Rule? (INST -3 "AA" "B" "Fit") 

Instantiating the top quantifier in -3 with the terms: 

(AA B Fit) 
this simplifies to: 

Cancel.assn.inv .2 . 1 : 

[-1] Fit = Flt2 

[-2] (FORALL (a: seat .assignment) , (fit: flight): 

SI (fit) (a) IMPLIES seat_exists(aircraft(flt) , seat (a))) 

{-3} SI (Fit) (AA) AND Sl(Flt)(B) AND pass(AA) = pass(B) IMPLIES AA * B 


[1] (Sl(Flt) (AA) AND pass(AA) /= Pas) 

AND (Sl(Flt)(B) AND pass(B) /* Pas) AND pass(AA) ■ pass(B) 

IMPLIES AA = B 

We notice that there are several ANDs in the formula so we decide to flatten it before we ASSERT: 
Rule? (FLATTEN) 

Applying disjunctive simplification to flatten sequent, 
this simplifies to: 

Cancel_assn_inv.2. 1 : 

[-1] Fit = Flt2 
{-2} SI (Fit) (AA) 

{-3} SI (Fit) (B) 

{-4} pass(AA) * pass(B) 

[-5] (FORALL (a: seat.assignment) , (fit: flight): 

Sl(flt)(a) IMPLIES seat_exists(aircraft(flt) , seat(a))) 

[-6] SI (Fit) (AA) AND Sl(Flt)(B) AND pass(AA) » pass(B) IMPLIES AA » B 


{1} pass(AA) ■ Pas 
{2} pass(B) ■ Pas 
{3} AA = B 

10 If you guess wrong the theorem prover will promptly inform you. 
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We can see that {-2}, {-3} and {-4} will discharge the premise of [-6] yielding AA = B. This is 
identical to one of the consequent formulas, i.e.,{3}, so we should be done. We therefore issue an 
ASSERT command: 

Rule? (ASSERT) 

Invoking decision procedures, 
this simplifies to: 

Cancel_assn_inv.2. 1 : 

[-1] Fit = Flt2 
[-2] Sl(Flt) (AA) 

[-3] Sl(Flt) (B) 

[-4] pass(AA) * pass(B) 

[-5] (FORALL (a: seat.assignment) , (fit: flight): 

Sl(flt)(a) IMPLIES seat_exists(aircraft(flt) , seat(a))) 

| 

[1] pass(AA) = Pas 

[2] pass(B) = Pas 

[3] AA = B 
{4} TRUE 

which is trivially true. 

This completes the proof of Cancel_assn_inv.2. 1 . 

Cancel_assn_inv.2.2 : 

[-1] (FORALL (a: seat.assignment), (fit: flight): 

Sl(flt)(a) IMPLIES seat_exists(aircraft(flt) , seat(a))) 
r-2] (FORALL (a: seat .assignment) , (b: seat .assignment) , (fit: flight): 

SI (fit) (a) AND SI (fit) (b) AND pass(a) = pass(b) IMPLIES a = b) 

{1} Fit = Flt2 
[2] SI 

WITH [Fit := 

{a: seat .assignment | SI (Fit) (a) AND pass(a) /= Pas}] (Flt2) (AA) 

AND 

Si 

WITH [Fit :» . 

•Ca: seat .assignment | SI (Fit) (a) AND pass (a) /= Pas}] (Flt2) (B) 

AND pass(AA) = pass(B) 

IMPLIES AA = B 

This finishes off Cancel_assn_inv.2.1 and we are onto Cancel_assn_inv.2.2. We decide to sim- 
plify with ASSERT: 


Rule? (ASSERT) 

Invoking decision procedures, 
this simplifies to: 
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Cancel_assn_inv.2.2 : 


[-1] (FORALL (a: seat .assignment) , (fit: flight): 

Sl(flt)(a) IMPLIES seat_exists(aircraft(flt) , seat(a))) 

[-2] (FORALL (a: seat .assignment) , (b: seat .assignment) , (fit: flight): 
SI (fit) (a) AND SI (fit) (b) AND pass(a) * pass(b) IMPLIES a ■ b) 


[1] Fit « Flt2 

{2} Sl(Flt2) (AA) AND Sl(Flt2)(B) AND pass(AA) - pass(B) IMPLIES AA * B 
Next, we must eliminate the quantifiers in [-2] 11 . 

Rule? (INST -2 "AA" "B" "Flt2") 

Instantiating the top quantifier in -2 with the terms: 

(AA B Flt2) 
this simplifies to: 

Cancel_assn_inv.2.2 : 

[-1] (FORALL (a: seat .assignment) , (fit: flight): 

Sl(flt)(a) IMPLIES seat.exists (aircraft (fit) , seat (a))) 

{-2} Sl(Flt2) (AA) AND Sl(Flt2)(B) AND pass(AA) = pass(B) IMPLIES AA - B 

I 

[1] Fit » Flt2 

[2] SI (Flt2) (AA) AND Sl(Flt2)(B) AND pass(AA) - pass(B) IMPLIES AA * B 
which is trivially true. 

This completes the proof of Cancel_assn_inv.2.2. 


This completes the proof of Cancel_assn_inv.2. 
Q.E.D. 


Run time * 25.77 secs. 

Real time ■ 36.84 secs. 

Cancel.assn.inv : 

I 

{1} (FORALL (fit: flight), (pas: passenger), (si: assn.state) : 

assn.invariant(sl) IMPLIES assn. invariant (Cancel_assn(f It, pas, si))) 


11 The amount of typing required for this command can be reduced through use of the M-s command, which retrieves 
the previous commands. By issuing M-s M-s M-s M-s the system retrieves the command that was issued four times 
ago, i.e. (INST -3 ” AA” ”B” ”Flt2"). This is easily changed into (INST -2 ”AA” *B” ”Flt2”). 
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With the appearance of “Q.E.D.” we know we have succeeded. Using the PVS command M-x 
edit-proof we can see the total structure of the proof. PVS displays the completed proof as 
follows: 

(SKOLEM * ("Fit" "Pas" "SI")) 

(EXPAND "assn.invariant ") 

(EXPAND "existence") 

(EXPAND "uniqueness") 

(EXPAND "Cancel.assn") 

(EXPAND "member") 

(FLATTEN) 

(SPLIT 1) 

(("1" (SKOLEM 1 ("all" "fltll")) 

(CASE "Fit - fit ! 1") 

(("1" (ASSERT) 

(INST -2 "all" "Fit") 

(FLATTEN) 

(ASSERT) 

(PROPAX)) 

("2" (ASSERT) 

(INST -1 "all" "fltll") 

(PROPAX)))) 

("2" (SKOLEM 1 ("AA" "B" "Flt2")) 

(CASE "Fit = Flt2") 

(("1" (ASSERT) 

(INST -3 "AA" "B" "Fit") 

(FLATTEN) 

(ASSERT) 

(PROPAX)) 

("2" (ASSERT) 

(INST -2 "AA" "B" "Flt2") 

(PROPAX)))))) 

This may be edited and rerun using the C-c C-c command. 

3.2 Proof that Make_assn Maintains the Invariant 

In this subsection we will prove the Make_assn_inv invariant: 

Make_assn_inv: THEOREM assn_invariant(sl) => 

as sn_ invariant (Make_assn(f It ,pas ,pref , s 1) ) 

However, we will perform the proof in a slightly different manner this time — we will prove two lem- 
mas before we attack the theorem. We are doing this because we have noticed that assn-invariant 
consists of two separate properties, existence and uniqueness: 

assn.invariant: function [assn.state -> bool] ■ 

(LAMBDA as: existence(as) AND uniqueness (as)) 

that can be proved separately as lemmas: 
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MAe: THEOREM existence(sl) 

IMPLIES existence(Make_assn(flt,pas,pref ,sl)) 

MAu: THEOREM uniqueness (si) 

IMPLIES uniqueness (Make_assn(f It ,pas ,pref , si) ) 

Then, we will prove Make_assn_inv from these. The order of the proofs is not critical. However, 
many times it is valuable to prove that the main theorem follows from the lemmas so that one does 
not prove a useless lemma. 

3.2.1 Proof of MAe 

We begin with MAe 

MAe : 


{1} (FORALL (fit: flight), (pas: passenger), 

(pref: preference), (si: assn.state) : 
existence (si) IMPLIES existence (Make_assn(f It, pas, pref, si))) 

As in the previous proof, we need to eliminate the universal quantifier by skolemization. However, 
we will use the SKOSIMP command to do this. 

Rule? (SKQSIMP) 

For the top quantifier in 1, we introduce Skolem constants: (fit II pas ! 1 
prefll sill) this simplifies to: 

MAe : 


{1} existence(sl ! 1) IMPLIES existence(Make_assn(flt!l, pas ! 1 , prefll, sill)) 

Applying disjunctive simplification to flatten sequent, 
this simplifies to: 

MAe : 

{-1} existence(sl! 1) 

I 

{1} existence(Make_assn(flt! 1, pasll, prefll, sill)) 

The SKOSIMP command is equivalent to a SKOLEM! command followed by a FLATTEN command. 
Note that the names for the skolem constants are selected by the prover automatically. Next, we 
expand the definition of existence: 

Rule? (EXPAND "existence") 

Expanding the definition of existence 
this simplifies to: 

MAe : 

{-1} (FORALL (a: seat.assignment) , (fit: flight): 
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member(a, sl!l(flt)) IMPLIES Beat_exists(aircraft(flt) , seat(a))) 

I 

{1} (FORALL (a: seat.assignment), (fit: flight): 

member(a, Make_assn(flt 1 1 , pasll, prefll, sl!l)(flt)) 

IMPLIES seat.exists (aircraft (fit) , seat(a))) 

We expand the definition of Make_assn: 

Rule? (EXPAND "Make.assn") 

Expanding the definition of Make.assn 
this simplifies to: 

MAe : 

[-1] (FORALL (a: seat.assignment) , (fit: flight): 

member(a, sl!l(flt)) IMPLIES seat_exists(aircraft(flt) , seat(a))) 

I- 

{1} (FORALL (a: seat.assignment), (fit: flight): 
member (a, 

IF pref _f illed(sl ! 1 , flt!l, pref!l) 

OR pass_on_flight(pas!l, flt!l, sl!l) THEN sl!l 
ELSE sill 

WITH [fit! 1 : = 

add((# seat := Next_seat(sl!l, flt!l, prefll), 
pass := pas! 1 
#), slll(fltll))] 

ENDIF(flt)) 

IMPLIES seat.exists (aircraft (fit) , seat(a))) 

In the previous theorem we had to expand member several times. So this time we decide to make 
this automatic through use of the AUTO-REWRITE command: 

Rule? (AUTO-REWRITE "member") 

Installing automatic rewrites: 
member , 

this simplifies to: 

MAe : 

[-1] (FORALL (a: seat.assignment), (fit: flight): 

member(a, slll(flt)) IMPLIES seat.exists (aircraft (fit) , seat(a))) 

| 

[1] (FORALL (a: seat.assignment), (fit: flight): 
member (a, 

IF pref _f illed(sl ! 1 , fit 11, prefll) 

OR pass.on.f light (pas! 1, fltll, sill) THEN sill 
ELSE sill - 

WITH [fltll := 

add((# seat :* Next_seat(sl!l, fltll, prefll), 
pass :« pasll 
#), slll(fltll))] 
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ENDIF(flt)) 

IMPLIES seat.exists (aircraft (fit) , seat (a))) 

Notice that AUTO-REWRITE does not immediately replace member with its definition. The rewrite 
will take place when one issues an ASSERT command. We issue another SKOSIMP command to 
eliminate the universal quantifiers in formula [1]: 

Rule? (SKOSIMP) 

For the top quantifier in i, we introduce Skolem constants: (all flt!2) 
this simplifies to: 

MAe : 

[-1] (FORALL (a: seat.assignment) , (fit: flight): 

member(a, sl!l(flt)) IMPLIES seat_exists(aircraft(flt) , seat(a))) 

I-- 

-Cl} member(a!l, 

IF pref _f illed(sl ! 1 , flt!l, pref!l) 

OR pass_on_f light (pas! 1, flt!l, si!l) THEN sl!l 
ELSE sill 

WITH [fit ! 1 := 

add((# seat := Next_seat(sl ! 1 , flt!l, prefll), 
pass := pas!l 
#), si ! 1 (fit ! i) )] 

ENDIF(flt!2)) 

IMPLIES seat.exists (aircraft (fit! 2) , seat(a!l)) 

Applying disjunctive simplification to flatten sequent, 
this simplifies to: 

MAe : 

[-1] (FORALL (a: seat .assignment) , (fit: flight): 

member(a, sl!l(flt)) IMPLIES seat_exists(aircraft(flt) , seat(a))) 
{-2} member(a!l, 

IF pref _f illed(sl ! 1, flt!l, pref!l) 

OR pass.on.f light (pas! 1, flt!i, sl!l) THEN sl!l 
ELSE si ! 1 

WITH [fit ! 1 :■ 

add((# seat :■ Next_seat(sl ! 1 , flt!l, prefil), 
pass :* pas ! 1 
#), si! l(flt! 1))] 

ENDIF(flt!2)) 

I- 

<1> seat.exists (aircraft (fit !2) , seat(a!l)) 

The universal quantifier in {-1} must be removed by quantification. We want the expression 
“seat_exists (aircraft (fit) , seat(a)))” in formula [-1] to match formula {1}, so a!l should 
be substituted for a and fit !2 for fit. For variety we will use the QUANT command rather than the 
INST command. Functionally they are identical; however, QUANT requires an extra layer of paren- 
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theses (i.e., (qUANT -1 ("all" "f It ! 2") ) does the same thing as the (INST -1 "all" "flt!2") 
command). 

Rule? (qUANT -1 ("all" "fit! 2")) 

Instantiating the top quantifier in -1 with the terms: 

(all fit !2) 
this simplifies to: 

MAe : 

{-1} member(a!l, sl!l(flt!2)) IMPLIES seat.exists (aircraft (fit! 2) , seat(a!l)) 
[-2] member(a!l, 

IF pref.f illed(sl ! 1 , fltil, pref!l) 

OR pass_on_f light (pas! i, fltil, sl!l) THEN s 1 ! 1 
ELSE si ! 1 

WITH [fit ! 1 := 

add((# seat := Next_seat (si ! 1 , flt!l, prefil), 
pass := pas! 1 
#), sill (fit II))] 

ENDIF(f It ! 2) ) 


[l] seat_exists(aircraft(flt!2) , seat(a!l)) 

We simplify with ASSERT: 

Rule? (ASSERT) 

Rewriting member(a! 1 , sill (fit ! 2) ) to si ! l(flt!2) (a! 1) . 

Rewriting member(a! 1 , 

IF pref _f illed(sl ! 1 , fltil, prefil) 

OR pass_on_f light (pas ! 1 , fltil, sl!l) THEN sill 
ELSE si ! 1 

WITH [fltil := 

add((# seat := Next_seat(sl ! 1, fltil, prefil), pass := pasll 
#), slll(fltli))] 

ENDIF(flt!2)) to IF pref _f illed(sl ! 1 , fltil, prefil) 

OR pass_on_f light (pas! 1, fltil, s 1 ! 1) THEN sill 
ELSE si ! 1 

WITH [fltil := 

add((# seat := Next_seat(sl! 1, fltil, prefil), pass pasll 
#), slll(fltll))] 

ENDIF(f It ! 2) (a! 1) . 

Invoking decision procedures, 
this simplifies to: 

MAe : 

-C-1) IF pref _f illed(sl 1 1 , fltil, prefil) 

OR pass_on_f light (pas ! 1 , fltil, sill) THEN sill 
ELSE si ! 1 

WITH [fltil :■ 

add((# seat :■ Next_seat(sl!l, fltil, prefil), pass :* pasll 
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#), si ! l(flt ! 1) )] 

ENDIF(flt !2) (a! 1) 

| 

{1} si! l(flt!2) (a! 1) 

[2] seat.exists (aircraft (fit ! 2) , seat (all)) 

We notice that the rewrites of member takes place at this time. We also notice that the IF THEN 
ELSE structure in formula {-1} is not at the outer most level (i.e. the text (flt!2)(a!l) follows 
the ENDIF), so we issue a LIFT-IF command: 

Rule? (LIFT-IF -1) 

Lifting IF-conditions to the top level, 
this simplifies to: 

MAe : 

{-1} IF pref _f illed(sl ! 1, flt!l, prefll) 

OR pass_on_f light (pas ! 1 , flt!l, sl!l) THEN si! l(flt!2) (a! 1) 

ELSE 
si ! 1 

WITH [fit ! 1 := 

add((# seat :* Next_seat(sl ! 1 , flt!l, prefll), pass :■ pas!l 
#), si ! l(f It ! 1) )] (fit !2) (a! 1) 

ENDIF 
| 

[1] si ! l(flt ! 2) (a! 1) 

[2] seat.exists (aircraft (fit !2) , seat(a!l)) 

Now that the IF THEN ELSE is at the outermost level it can be split into two sequents using the 
SPLIT command (i.e., IF A THEN B ELSE C ENDIF is equivalent to A D B A NOT A D C.) Thus, 
we use a SPLIT command: 

Rule? (SPLIT -1) 

Splitting conjunctions, 
this yields 2 subgoals : 

MAe. 1 : 

{-1} (pref _f illed(sl ! 1 , flt!l, prefil) OR pass_on_flight(pas!l, flt!l, sl!l)) 
AND si ! l(flt !2) (a! 1) 

I 

[1] si! l(flt!2) (a! 1) 

[2] seat.exists (aircraft (fit! 2) , seat(a!l)) 

We issue the GROUND command to finish off the proof of this sequent: 

Rule? (GROUND) 

Applying propositional simplification and decision procedures. 

This completes the proof of MAe.l. 

MAe. 2 : 
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{-1} NOT 

(pref _f illed(sl ! 1 , flt!l, prefll) 

OR pass_on_f light (pas ! 1 , flt!l, si! 1) ) 

AND 

sill 

WITH [fit ! 1 := 

add((# seat := Next_seat(sl 1 1 , flt!l, prefll), pass pasll 
#), sl!l(flt!l))](flt!2)(a!l) 


[1] si ! 1 (fit ! 2) (a! 1) 

[2] seat.exists (aircraft (fit 12) , seat(all)) 

The ground procedures simplify the sequent to the point where PVS recognizes the formula as 
true. PVS writes “This completes the proof of MAe.l” and turns our attention to MAe.2. 
Encouraged by our progress, we decide to expand add according to its definition: 

Rule? (EXPAND "add") 

Rewriting member (y, slll(fltll)) to si ! 1 (f It ! 1) (y) . 

Expanding the definition of add 
this simplifies to: 

MAe.2 : 

{-1} NOT 

(pref _f illed(sl ! 1 , fltll, prefll) 

OR pass_on_f light (pas! 1, fltll, sill)) 

AND 

sill 

WITH [fltll := 

{y: [# seat: [row, position], pass: passenger #] I 
(# seat := Next_seat(sl 1 1 , fltll, prefll), pass := pasll #) ■ y 
OR sill (fit 1 1) (y)}] (fit 1 2) (a! 1) 


[1] si I l(flt 12) (a! 1) 

[2] seat.exists (aircraft (fit 12) , seat(all)) 

There is nothing in the antecedent formula that will make [l] or [2] true by itself. Formula [2] asserts 
that the seat determined by seat(a! 1) actually exists. But formula{-l} tells us that seat(a! 1) is 
obtained from the Next_seat function. In our specification, we left these functions as uninterpreted 
functions. Earlier we stated that we would need a property about these functions in order to make 
the proofs go through. This is where we recognize this need. The desired property is also obvious—, 
the property given in the Next _s eat _ax axiom. We make this axiom available Tn the sequent by 
use of the LEMMA command: 

Rule? (LEMMA "Next.seat.ax") 

Applying Next.seat.ax where 
this simplifies to: 

MAe.2 : 
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{-1} (FORALL (fit: flight), (pref : preference), (si: assn.state) : 

NOT pref.f illed(sl , fit, pref) 

IMPLIES seat.exists (aircraft (fit) , Next_seat(sl , fit, pref))) 

[-2] NOT 

(pref _f illed(sl ! 1 , flt!l, prefll) 

OR pass_on_flight(pas!l, flt!l, sl!l)) 

AND 
si ! 1 

WITH [fit ! 1 := 

{y: [# seat: [row, position], pass: passenger #] I 
(# seat := Next_seat(sl!l, flt!l, prefll), pass :■ pas!l #) ■ y 
OR si ! 1 (fit 1 1) (y)}] (fit !2) (a! 1) 

I- 

[1] si ! l(f It !2) (a! 1) 

[2] seat_exists(aircraft(flt!2) , seat(a!l)) 

Whenever one introduces a lemma one usually must quantify the universal variables in this lemma: 

Rule? (INST -1 "fltll " "prefll" "sill") 

Instantiating the top quantifier in -1 with the terms: 

(fltll prefll sill) 
this simplifies to: 

MAe.2 : 

{-1} NOT pref _f illed(sl 1 1 , fltll, prefll) 

IMPLIES seat.exists (aircraft (fit 1 1) , Next_seat(sl! 1 , fltll, prefll)) 

[-2] NOT 

(pref _f illed(sl 1 1 , fltll, prefll) 

OR pass.on.f light (pas! 1 , fltll, sill)) 

AND 

sill 

WITH [fltll :« 

■Cy: [# seat: [row, position], pass: passenger #] I 
(# seat := Next_seat(sl!l, fltll, prefll), pass :« pas 11 #) ■ y 
OR si! 1 (fit 1 1) (y)}] (fit 12) (a! 1) 

I 

[1] si 1 l(f It 12) (a! 1) 

[2] seat.exists (aircraft (fit! 2) , seat(all)) 

We now issue a GROUND command: 

Rule? (GROUND) 

Applying propositional simplification and decision procedures, 
this simplifies to: 

MAe.2 : 

{-1} seat.exists (aircraft (fit 11), Next_seat(sl!l, fltll, prefll)) 

{-2} sill 

WITH [fltll :■ 
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■Cy: [# seat: [row, position], pass: passenger #] I 
(# seat := Next.seat (si 1 1 , fltli, pref!l), pass := pas!l #) = y 
OR si ! 1 (fit 1 1) (y)}] (fit ! 2) (a! 1) 


{ 1 > 

{ 2 > 

[3] 

[4] 

We notice that formula {-2} modifies sill at fltli but then retrieves the value for fit 12. For 
all cases other than fltli s fit 1 2 this formula would be much simpler. Therefore, we perform a 
case split on fltli = fit 1 2: 

Rule? (CASE "fltli = fit 1 2") 

Case splitting on 
fltli = fit 12, 
this yields 2 subgoals: 

MAe .2.1 : 

{-1} fltli - fit 1 2 

[-2] seat_exists(aircraf t (fit 1 1) , Next_seat(sl! 1, fltli, prefll)) 

[-3] sill 

WITH [fltli := 

•Cy: [# seat: [row, position], pass: passenger #] I 
(# seat := Next_seat(sl 1 1 , fit!!, prefll), pass := pas II #) * y 
OR sill (fit 1 1) (y)}] (fit 12) (all) 


[1] pref_filled(sl!l, fltli, pref 1 1) 

[2] pass_on_f light (pas 1 1 , fltli, sill) 

[3] si I l(f It 12) (all) 

[4] seat_exists(aircraft(flt!2) , seat(all)) 

We issue a GROUND command to finish off this sequent: 

Rule? (GROUND) 

Applying propositional simplification and decision procedures. 

This completes the proof of MAe.2.1. 

MAe. 2. 2 : 

[-1] seat_exists(aircraft(flt! 1) , Next_seat(sl!i, fltli, prefll)) 

[-2] sill 

WITH [fltli := 

{y: [# seat: [row, position], pass: passenger #] I 
(# seat := Next_seat(sl 1 1 , fltli, prefll), pass := pasll #) = y 
OR si I l(f It 1 1) (y)}] (fit 1 2) (a! 1) 


{!> fltli = fit 1 2 


pref _f illed(sl 1 1 , fltli, prefll) 
pass. on.f light (pas! 1, fltli, sill) 
sill (fit 1 2) (a! 1) 

seat_exists(aircraft(flt!2) , seat(a! 1)) 
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[2] pref _f illed(sl I 1 , fltll, prefll) 

[3] pass_on_flight(pas! 1, fit ! 1 , sill) 

[4] si ! l(f It !2) (a! 1) 

[5] seat.exists (aircraft (fit! 2) , seat (all)) 

The theorem prover presents us with MAe2 . 2 . We issue another GROUND command: 
Rule? (GROUND) 

Applying propositional simplification and decision procedures, 
This completes the proof of MAe.2.2. 


This completes the proof of MAe.2. 
q.E.D. 


Run time ■ 13.18 secs. 

Real time = 23.47 secs. 

MAe : 

I- 

{1} (FORALL (fit: flight), (pas: passenger), 

(pref: preference), (si: assn.state) : 
existence(sl) IMPLIES existence (Make.assn (fit, pas, pref, si))) 

> 

We are happy to see the arrival of “Q.E.D.” but then remember that MAu and the main theorem 
still await us. The complete proof is displayed by M-x edit-proof as: 

("" (SKOLEM 1 

("fit ! 1" "pas ! 1" "prefll" "sl!l")) 

(FLATTEN) 

(EXPAND "existence") 

(EXPAND "Make.assn") 

(AUTO-REWRITE "member") 

(SKOLEM 1 ("all" "flt!2")) 

(FLATTEN) 

(QUANT -1 ("all" "flt!2")) 

(ASSERT) 

(LIFT-IF -1) 

(SPLIT -1) 

(("1" (GROUND)) 

("2" (EXPAND "add") 

(LEMMA "Next.seat.ax") 

(INST -1 "fit ! 1 " "prefll" "sill") 

(GROUND) 
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(CASE "fit! 1 » fit! 2") 

(("1" (GROUND)) ("2" (GROUND)))))) 


3.2.2 Proof of MAu 

This lemma is a little harder than MAe, but encouraged by past success we eagerly press on, issuing 

M-x pr on MAu: 

MAu : 

| 

{1} (FORALL (fit: flight), (pas: passenger), 

(pref: preference), (si: assn. state) : 
uniqueness(sl) IMPLIES uniqueness (Make. assn(f It , pas, pref, si))) 

The first step is fairly routine by now — we eliminate the universal quantifiers: 

Rule? (SKOSIMP) 

For the top quantifier in 1, we introduce Skolem constants: (fit ! 1 pas!l 
prefll sill) this simplifies to: 

MAu : 


{1} uniqueness(sl ! 1) IMPLIES uniqueness (Make. assn(f It ! 1 , pasll, prefll, s 1 ! 1 ) ) 

Applying disjunctive simplification to flatten sequent, 
this simplifies to: 

MAu : 

{-1} uniqueness (si ! 1) 

I 

*Cl> uniqueness (Make. assn(f It ! 1 , pasll, prefll, sill)) 


We know that the Make_assn function is defined using the sets theory in the prelude, so we 
decide to automate the expanding of the functions in this theory using the AUTO-REWRITE-THEORY 
command. This command is similar to the AUTO-REWRITE command except that instead of naming 
a particular function that is to be automatically expanded, one just provides the name of a theory. 
All of the functions in this theory will automatically be expanded when an ASSERT command is 
issued. 

Rule? (AUTO-REWRITE-THEORY "sets [seat. assignment] ") 

Adding rewrites from theory sets [seat. assignment] 

Adding rewrite rule member 
Adding rewrite rule union 
Adding rewrite rule intersection 
Adding rewrite rule difference 
Adding rewrite rule add 
Adding rewrite rule remove 
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Adding rewrite rule singleton 
Adding rewrite rule subset? 

Adding rewrite rule strict. subset? 

Adding rewrite rule empty? 

Adding rewrite rule empty set 
Adding rewrite rule nonempty? 

Adding rewrite rule fullset 
Adding rewrite rule disjoint? 

Adding rewrite rule extensionality 
Auto-rewritten theory sets [seat.assignment] 
Rewriting relative to the theories: 
sets [seat.assignment] , 

NIL, 

NIL, 

this simplifies to: 

MAu : 

[-1] uniqueness(sl ! 1) 


[1] uniqueness (Make.assnCflt ! 1 , pasll, pref!l, sl!l)) 

The prover lists the names of the functions from the sets theory that will automatically be ex- 
panded. We now expand uniqueness: 

Rule? (EXPAND "uniqueness") 

Rewriting member (a, sl!l(flt)) to si ! l(flt) (a) . 

Rewriting member (b, sl!l(flt)) to si ! l(flt) (b) . 

Rewriting member (a, Make.assnCflt! 1, ...)(flt)) to Make.assnCflt ! 1 , ...)(flt)(a) 
Rewriting member (b, Make.assnCflt! 1, ...)(flt)) to Make.assnCflt! 1, ...)(flt)(b) 
Expanding the definition of uniqueness 
this simplifies to: 

MAu : 

{-1} (FORALL (a: seat.assignment), (b: seat.assignment) , (fit : flight): 

sl!l(flt)(a) AND sl!l(flt)(b) AND pass(a) ■ pass(b) IMPLIES a ■ b) 

I 

{1} (FORALL (a: seat.assignment), (b: seat.assignment), (fit: flight): 
Make.assnCflt! 1, pas!l, prefil, si !1) (fit) (a) 

AND Make.assnCflt !1, pas!l, preffl, si! 1) (fit) (b) 

AND pass (a) = pass(b) 

IMPLIES a = b) 

We remove the universal quantifiers in formula {1} using SKOSIMP: 

Rule? (SKOSIMP) 

For the top quantifier in 1, we introduce Skolem constants: (a ! 1 b ! 1 fit! 2) 
this simplifies to: 

MAu : 
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[-1] (FORALL (a: seat .assignment) , (b: seat .assignment) , (fit: flight): 

sl!l(flt)(a) AND sl!l(flt)(b) AND pass(a) ■ pass(b) IMPLIES a = b) 


<i> Make_assn(f It ! 1 , pasll, pref!l, si ! 1) (fit ! 2) (a! 1) 

AND Make_assn(flt ! 1 , pas!l, prefll, si! l)(flt!2) (b! 1) 

AND pass(a!l) = pass(b!l) 

IMPLIES all = b ! 1 

Applying disjunctive simplification to flatten sequent, 
this simplifies to: 

MAu : 

[-1] (FORALL (a: seat.assignment) , (b: seat.assignment) , (fit: flight): 

si !1 (fit) (a) AND sl!l(flt)(b) AND pass(a) * pass(b) IMPLIES a = b) 
{-2} Make_assn(flt! 1, pasll, prefll, si 1 1) (fit 12) (a! 1) 

{-3} Make_assn(f It 1 1 , pasll, prefll, si 1 1) (f It 12) (b! 1) 

{-4} pass(all) = pass(bll) 

I 

{1} all = b 1 1 

We instantiate formula [-1] with the constants just created in the previous skolemization: 

Rule? (INST -1 "all" "bll" "flt!2") 

Instantiating the top quantifier in -1 with the terms: 

(all bll fit 1 2) 
this simplifies to: 

MAu : 

{-1} sill (fit 12) Cal 1) AND si I l(f It 1 2) (b 1 1) AND pass(all) = pass(bll) 
IMPLIES all = bll 

[-2] Make_assn(flt 1 1 , pasll, prefll, si 1 1) (fit 12) (a! 1) 

[-3] Make_assn(flt!l, pasll, prefll, si 1 1) (fit 12) (b! 1) 

[-4] pass(all) s pass(bll) 

I 

[1] all = bll 

We realize we aren’t going much further until we expand Make_assn: 

Rule? (EXPAND "Make.assn") 

Expanding the definition of Make.assn 
this simplifies to: 

MAu : 

[-1] si I l(flt 12) (a! 1) AND sill (fit 12) (b 1 1) AND pass(all) = pass(bll) 
IMPLIES all = bll 

{-2} IF pref _f illed(sl 1 1 , fltll, prefll) 

OR pass.on.f light (pas! 1 , fltll, sill) THEN sill 
ELSE sill 

WITH [fltll := 
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add((# seat := Next_seat(sl! 1, fltll, prefll), pass :■ pas!l 
#), si ! l(flt ! 1))] 

ENDIF(flt!2) (a! 1) 

{-3> IF pref _f illed(sl ! 1 , fltll, prefll) 

OR pass_on_f light (pas! 1, flt!l, sl!l) THEN sl!l 
ELSE sill 

WITH [fit ! 1 : = 

add((# seat : = Next_seat(sl! 1, flt!l, prefll), pass :* pasll 
#), si ! 1 (fit ! 1) )] 

ENDIF(flt ! 2) (b ! 1) 

[-4] pass (all) * pass(b!l) 

I- 

[1] all * b! 1 

We are ready for member to be rewritten so we issue an ASSERT command: 

Rule? (ASSERT) 

Invoking decision procedures, 
this simplifies to: 

HAu : 

[-1] IF pref _f illed(sl ! 1 , fltll, prefll) 

OR pass.on.f light (pas 1 1 , fltll, sill) THEN sill 
ELSE sill 

WITH [fltll := 

add((# seat := Next_seat(sl!l, fltll, prefll), pass :■ pasll 
#), slll(fltll))] 

ENDIF(flt!2) (a! 1) 

[-2] IF pref _f illed(sl 1 1 , fltll, prefll) 

OR pass_on_f light (pas! 1, fltll, sill) THEN sill 
ELSE sill 

WITH [fltll := 

add((# seat := Next_seat(sl 1 1 , fltll, prefll), pass :■ pasll 
#), slll(fltll))] 

ENDIF(f It 1 2) (b 1 1) 

[-3] pass(all) * pass(bll) 

I 

{1} si! l(flt!2) (a! 1) AND si I l(flt 12) (b! 1) 

[2] all * b! 1 

We notice that the IF-THEN-ELSE structures in formulas {-1} and {-2} are not at the outermost 
level, so we issue a LIFT-IF command: 

Rule? (LIFT-IF -1 -2) 

Lifting IF- conditions to the top level, 
this simplifies to: 

HAu : 

{-1} IF pref_filled(sl!l, fltll, prefll) 
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OR pass_on_f light(pas ! 1 , fltll, sl!l) THEN si ! 1 (f It ! 2) (a! 1) 

ELSE 

sill 

WITH [fltll := 

add((# seat := Next_seat(sl ! 1 , fltll, prefll), pass := pas 11 
#), si 1 l(f It 11))] (fit 12) (a! 1) 

ENDIF 

{-2} IF pref _f illed(sl ! 1 , fltll, prefll) 

OR pass_on_f light (pas 1 1 , fltll, sill) THEN si 1 1 (f It 1 2) (b 1 1) 

ELSE 

sill 

WITH [fltll := 

add((# seat := Next_seat(sl 1 1 , fltll, prefll), pass := pasll 
#), si 1 1 (fit 1 1))] (fit 12) (b! 1) 

ENDIF 

[-3] pass(all) = pass(bll) 

| 

[1] si! l(flt 12) (all) AND si 1 1 (f It 12) (b 1 1) 

[2] all = b! 1 

A case split on fit! 1 = fit 12 seems in order: 

Rule? (CASE "fltll - fit 12") 

Case splitting on 
fltll * fit 12, 
this yields 2 subgoals : 

MAu.l : 

{-1} fltll = fit 12 

[-2] IF pref _f illed(sl 1 i , fltll, prefll) 

OR pass_on_f light(pas 1 1 , fltll, sill) THEN si 1 l(flt 12) (a! 1) 

ELSE 

sill 

WITH [fltll := 

add((# seat := Next_seat(sl 1 1, fltll, prefll), pass := pasll 
#), si 1 l(f It 11))] (fit 1 2) (a! 1) 

ENDIF 

[-3] IF pref _f illed(sl 1 1 , fltll, prefll) 

OR pass.on.f light (pasll, fltll, sill) THEN si 1 1 (fit 1 2) (b 1 1) 

ELSE 

sill 

WITH [fltll := 

add((# seat := Next_seat(sl 1 1 , fltll, prefll), pass := pasll 
#), si 1 l(f It 11))] (fit 12) (b! 1) 

ENDIF 

[-4] pass (a 11) ■ pass (b 11) 

I 

[1] si 1 1 (fit 1 2 ) (a! 1) AND si 1 1 (f It 12) (b! 1) 
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[2] all * b! 1 

We now collapse the IF THEN ELSE structure with a GROUND command: 

Rule? (ground) 

Applying propositional simplification and decision procedures, 
this yields 2 subgoals: 

HAu .1.1 : 

{-1} sill 

WITH Cf It ! 1 :* 

add((# seat := Next_seat(sl ! 1 , fltll, prefll), pass :- pasll 
#), si ! l(f It ! 1) )] (f It !2) (b! 1) 

{-2} sill 

WITH Cf It ! 1 

add((# seat := Next_seat(sl ! 1 , flt!l, prefll), pass :» pasll 
#), si ! l(f It II))] (fit 12) (a! 1) 

[-3] fit II - fit 1 2 

[-4] pass (all) = pass (b II) 

I 

{1} pref _f illed(sl 1 1 , fltll, prefll) 

{2} pass_on_flight(pas! 1, fltll, sill) 

{3} pref .filled (si 1 1 , fltll, prefll) 

{4} pass.on.f light (pas 1 1 , fltll, sill) 

{5} si 1 1 (fit 1 2) (a! 1) 

[6] all = b 1 1 

The GROUND command produces two subgoals. We notice that formulas {3} and {4 } are identical 
to formulas {1} and {2}, so we hide {3} and {4} to remove the clutter: 

Rule? (HIDE 3 4) 

Hiding formulas: 3, 4, 

this simplifies to: 

MAu .1.1 : 

[-1] sill 

WITH [fltll :« 

add((# seat :* Next.seat (si 1 1, fltll, prefll), pass :■ pasll 
#), sill (fltll))] (fit! 2) (b!l) 

[-2] sill 

WITH [fltll :- 

add((# seat :* Next_seat(sl! 1, fltll, prefll), pass :■ pasll 
#), si II (fit II))] (fit 1 2) (all) 

[-3] fltll « fit 1 2 

[-4] pass(all) * pass (b II) 

| 

[1] pref _f illed(sl 1 1 , fltll, prefll) 

[2] pass_on.fi ight(pas! 1, fltll, sill) 

[3] si I l(flt 1 2) (a! 1) 

[4] a! 1 ■ b! 1 
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We need to establish that all ® b!l given that pass (all) * pass(b!l). We remember that 
pass_on_flight constrains the passenger fields to be unique, so we expand it: 

Rule? (EXPAND "pass.on.f light") 

Rewriting member (a, sl!l(flt!l)) to si ! l(flt ! 1) (a) . 

Expanding the definition of pass_on_f light 
this simplifies to: 

MAu .1.1 : 

[-1] sill 

WITH [fit ! 1 := 

add( (# seat := Next_seat(sl ! 1 , flt!l, prefil), pass := pasil 
#), si! 1 Cf It * 1))] (fit! 2) (b! 1) 

[-2] si! 1 

WITH [fltil 

add( (# seat := Next_seat(sl ! 1 , flt!l, prefil), pass := pas!l 
#), si ! 1 (fit ! 1) )] (fit ! 2) (a! 1) 

[-3] fltil = fit! 2 

[-4] pass(a! 1) = pass(b!l) 

I - 

[1] pref _f illed(sl ! 1 , fltil, prefil) 

{2} (EXISTS (a: seat .assignment) : pass(a) = pas!l AND si! 1 (fit ! 1) (a)) 

[3] si ! l(f It ! 2) (a! 1) 

[4] a! 1 = b! 1 

We are ready to instantiate formula {2}, but then realize that we are going to need two instances of 
it, one for a! 1 and one for b! I 12 . Thus, we will use the INST-CP command which saves the original 
form of the formula in addition to the instantiated form: 

Rule? (INST-CP 2 "a!l") 

Instantiating the top quantifier in 2 with the terms: 
all, , 

this simplifies to: 

MAu. 1.1 : 

[-1] si ! 1 

WITH [fltil :« 

add((# seat := Next. seat (si ! 1 , flt!l, prefil), pass := pas!l 
#), sill (fit ! 1) )] (fit ! 2) (b! 1) 

[-2] sill 

WITH [fit ! 1 

add((# seat := Next. seat (si! 1, fltil, prefil), pass := pas!l 
#), si I l(flt II))] (fit 12) (all) 

[-3] fltil * fit 1 2 

[-4] pass(all) = pass(bll) 


[1] pref _f illed(sl 1 1 , fltil, prefil) 

12 It actually took me about an hour to figure this out. 
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[2] (EXISTS (a: seat.assignment) : pass(a) = pas!l AND si ! l(flt! 1) (a)) 

{3} pass(a!l) a pasll AND si ! 1 (f It ! 1) (a! 1) 

[4] si! l(flt!2) (a! 1) 

[5] all * b! 1 

Now we can instantiate it with b! 1 as well: 

Rule? (INST 2 "b!l") 

Instantiating the top quantifier in 2 with the terms: 
b! 1, 

I 

this simplifies to: 

MAu .1.1 : 

[-1] si ! 1 

WITH [fit ! 1 := 

add((# seat := Next_seat(sl 1 1 , flt!l, pref!l), pass := pasll 
#), si ! l(f It ! 1))] (f It !2) (b! 1) 

[-2] si ! 1 

WITH [fit ! 1 := 

add((# seat := Next_seat(sl! 1, flt!l, prefll), pass :» pasll 
#), s 1 ! 1 (fit ! 1 ) ) ] (fit ! 2) (a! 1) 

[-3] fit ! 1 « fit! 2 

[-4] pass(a! 1) = pass(b!l) 

I 

[1] pref _f illed(sl ! 1 , flt!l, prefil) 

{2} pass(b! 1) = pas ! 1 AND si ! l(flt ! 1) (b! 1) 

[3] pass(a! 1) = pas!l AND si ! 1 (fit ! 1) (a! 1) 

[4] sill (fit! 2) (all) 

[5] a! 1 * b! 1 

We issue an ASSERT command to complete the proof of this sequent: 

Rule? (ASSERT) 

Rewriting member(b!l, sl!l(flt!l)) to si 1 l(flt 1 1) (bl 1) . 

Rewriting add((# seat := Next_seat(sl ! 1 , flt!l, prefll), pass :■ pasll #) , 
sill (fit ! 1) ) (b ! 1) to (# seat := Next_seat(sl! 1, fltll, prefll), 
pass := pasll #) ■ b 1 1 OR si 1 l(flt 1 1) (b! 1) . 

Rewriting member(a! 1 , sill (fit 11)) to FALSE. 

Rewriting add((# seat := Next.seat(sl! 1, fltll, prefll), pass :- pasll #) , 
si 1 l(flt 1 1) ) (a! 1) to (# seat :* Next_seat(sl! 1, fltll, prefll), 
pass := pasll #) ■ all. 

Invoking decision procedures. 

This completes the proof of MAu. 1.1. 

MAu. 1.2 : 
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{-1} si ! 1 

WITH [fltll := 

add((# seat := Next.seat (si 1 1 , fltll, prefll), pass : = pasll 
#), sl!l(flt!l))](flt!2)(b!l) 

{-2} sill 

WITH [fltll := 

add((# seat := Next_seat(sl 1 1 , fltll, prefll), pass := pasll 
#), si! l(flt! 1))] (fit 12) (a! 1) 

[-3] fltll = fit 12 

[-4] pass (all) = pass (b 11) 


{1} pref _f illed(sl 1 1 , fltll, prefll) 

{2} pass_on_f light (pas 1 1 , fltll, sill) 

{3} pref _f illed(sl 1 1 , fltll, prefll) 

{4} pass_on_f light (pasll, fltll, sill) 

{5} si 1 1 (fit 1 2) (b 1 1) 

[6] all = bll 

P VS tells us, “This completes the proof of MAu. 1 . 1” and presents MAu. 1 .2 to us. Once again 
we notice that formulas {3} and {4 } are identical to formulas {1} and {2}, so we hide {3} and {4} 
to remove the clutter: 

Rule? (HIDE 3 4) 

Hiding formulas: 3, 4, 

this simplifies to: 

MAu. 1.2 : 

[-1] sill 

WITH [fltll :* 

add((# seat := Next_seat(sl 1 1 , fltll, prefll), pass := pasll 
#), si! 1 (fit 11))] (fit 12) (b! 1) 

[-2] sill .. ...... .... 

WITH [fltll := 

add((# seat := Next_seat(sl 1 1 , fltll, prefll), pass := pasll 
#), sill (fit 11))] (fit 12) (all) 

[-3] fltll = fit 12 

[-4] pass (all) » pass(bll) 

| 

[1] pref_filled(sl!l, fltll, prefll) 

[2] pass_on_flight(pas!l, fltll, sill) 

[3] si! l(flt!2) (b! 1) 

[4] all = bll 

As in the other subgoal, we expand pass_on_flight: 

Rule? (EXPAND "pass_on_flight") 

Rewriting member(a, sill (fit 11)) to si 1 l(f It 1 1) (a) . 

Expanding the definition of pasB_on_flight 
this simplifies to: 
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HAu .1.2 : 


[-1] si! 1 

WITH [fit ! 1 :■ 

add((# seat := Next_seat(sl 1 1 , fltll, 
#), si ! 1 (fit ! 1) )] (f It !2) (b! 1) 

[-2] si ! 1 

WITH [fltll := 

add((# seat := Next_seat(sl ! 1 , fltll, 
#), sill (fit 11))] (fit! 2) (all) 
[-3] fltll = fit 1 2 

[-4] pass(all) = pass(bll) 


[1] pref_filled(sl! 1, fltll, prefll) 

{2} (EXISTS (a: seat .assignment) : pass(a) = pas II AND si I l(f It 1 1) (a) ) 

[3] si 1 1 (fit 1 2) (b II) 

[4] all = b! 1 

and doubly instantiate formula 2: 

Rule? (INST-CP 2 "all") 

Instantiating the top quantifier in 2 with the terms: 
all, , 

this simplifies to: 

MAu .1.2 : 

[-1] sill 

WITH [fltll := 

add( (# seat := Next_seat(sl 1 1 , fltll, prefll), pass := pasll 
#), si! 1 (fit 1 1))] (fit 1 2) (b! 1) 

[-2] sill 

WITH [fltll := 

add((# seat := Next_seat(sl 1 1 , fltll, prefll), pass :■ pasll 
#), si I l(f It II))] (fit 12) (all) 

[-3] fltll « fit 1 2 

[-4] pass(all) = pass(bll) 

I 

[1] pref _f illed(sl 1 1 , fltll, prefll) 

[2] (EXISTS (a: seat.assignment) : pass(a) * pasll AND sl!l(flt! 1) (a)) 
{3} pass(all) « pasll AND si I l(f It 1 1) (a! 1) 

[4] si 1 1 (fit 1 2) (b II) 

[5] all ■ b! 1 

Rule? (INST 2 "bll") 

Instantiating the top quantifier in 2 with the terms: 
bll, 

1 

this simplifies to: 


prefll), pass :* pasll 


prefll), pass pasll 
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M Au .1.2 : 


[-1] sill 

WITH [fit ! 1 := 

add((# seat := Next_seat(sl 1 1 , flt!l, prefll), pass := pas!l 
#), si ! 1 (fit ! 1) )D (fit ! 2) (b! 1) 

[-2] sill 

WITH [fit ! 1 := 

add((# seat := Next^seat(sl ! 1 , fltll, prefll), pass := pasll 
#), si ! l(f It 1 1) )] (fit 12) (a! 1) 

[-3] fltll = fit 12 

[-4] pass(all) = pass(bll) 

| 

[1] pref _f illed(sl ! 1 , fltll, prefll) 

{2} pass(bll) = pasll AND si 1 1 (f It 1 1) (b! 1) 

[3] pass(all) a pasll AND sl!l(flt!l)(a!l) 

[4] si 1 l(f It 1 2) (b! 1) 

[5] all = b 1 1 

We issue an ASSERT command to simplify: 

Rule? (ASSERT) 

Rewriting member (b! 1 , sill (fit 11)) to FALSE. 

Rewriting add((# seat := Next_seat(sl 1 1, fltll, prefll), pass := pasll #) , 
s 1 ! 1 (fit 1 1 ) ) (b 1 1 ) to (# seat := Next_seat(sl 1 1 , fltll, prefll), 
pass := pas! 1 #) = b! 1 . 

Rewriting member (a! 1 , sill (fit 11)) to si 1 1 (f It 1 1) (a! 1) . 

Rewriting add((# seat := Next_seat(sl 1 1 , fltll, prefll), pass := pasll #) , 
si! l(flt! 1)) (a! i) to sill (fit 1 1) (a! 1) . 

Invoking decision procedures, 
this simplifies to: 

NAu .1.2 : 

{-I) - (# seat := Next_seat(sl 1 1 , fltll, prefll), pass := pasll #) = b 1 1 

{-2} si 1 l(f It ! 1) (a! 1) 

[-3] fltll = fit 12 

[-4] pass(all) = pass(bll) 


[1] pref _f illed(sl 1 1 , fltll, prefll) 
{2} TRUE 

[3] si 1 1 (fit 1 2) (b 1 1) 

[4] all = b 1 1 

which is trivially true. 

This completes the proof of MAu.1.2. 
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This completes the proof of MAu.l. 


MAu.2 : 

[-1] IF pref _f illed(sl I 1 , fltll, prefll) 

OR pass_on_f light (pas ! 1 , flt!l, sl!l) THEN si ! 1 (f It !2) (a! 1) 

ELSE 
si ! 1 

WITH [fit ! 1 := 

add( (# seat := Next_seat(sl ! 1 , flt!l, prefll), pass : = pasll 
#), si ! l(f It 11))] (fit 12) (a! 1) 

END IF 

[-2] IF pref _f illed(sl ! 1 , fltll, prefll) 

OR pass_on_f light (pas 1 1 , fltll, sill) THEN si I l(f It 12) (b! 1) 

ELSE 

sill 

WITH [fltll := 

add( (# seat := Next_seat(sl! 1. fltll, prefll), pass := pasll 
#), si! l(flt! 1))] (fit 1 2) (b! 1) 

END IF 

[-3] pass(all) s pass(bll) 

I-- 

{1} fltll = fit 1 2 

[2] si 1 1 (fit 1 2) (a! 1) AND si 1 1 (fit 1 2) (b 1 1) 

[3] all = b! 1 

We are rewarded by our perspicaciousness. PVS informs us that the proof of HAu. 1 .2 is complete 
and thus MAu. 1 . as well. It then presents us with MAu.2. We issue an ASSERT command to simplify: 

Rule? (ASSERT) 

Invoking decision procedures, 
this simplifies to: 

HAu. 2 : 

{-1} si! 1 (fit 1 2) (a! 1) 

{-2} si I l(f It 12) (b 1 1) 

[-3] pass(all) * pass(bll) 

I 

[1] fltll = fit 1 2 

[2] sill (fit 1 2) (a! 1) AND si I l(f It 1 2) (b! 1) 

[3] all = b 1 1 

We issue another ASSERT command: 

Rule? (ASSERT) 

Invoking decision procedures, 
this simplifies to: 

HAu. 2 : 
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[-1] si ! l(flt !2) (a! 1) 

[-2] si ! l(f It !2) (b! 1) 

[-3] pass(a!l) = pass(b!l) 


[1] fit ! 1 = fit !2 

{2} TRUE 

[3] all = b! 1 

which is trivially true. 

This completes the proof of MAu.2. 

Q.E.D. 

Run time = 45.09 secs. 

Real time « 291.16 secs. 

MAu : 

| 

{1} (FORALL (fit: flight), (pas: passenger), 

(pref: preference), (si: assn.state) : 
uniqueness(sl) IMPLIES uniqueness (Make_assn(f It, pas, pref, si))) 

> 

M-x edit-pr displays the complete proof as follows: 

("" (SKOLEM 1 

("fltfl" "pas ! 1" "pref ! 1" "sill")) 

(FLATTEN) 

(AUTO-REWRITE-THEORY "sets [seat.assignment] ") 

(EXPAND "uniqueness") 

(SKOLEM 1 ("all" "b!l" "flt!2")) 

(FLATTEN) 

(INST -1 "all" "b! 1" "flt!2") 

(EXPAND "Make.assn") 

(ASSERT) 

(LIFT-IF -1 -2) 

(CASE "fltll = fit! 2") 

(("1" (GROUND) 

(("1" (HIDE 3 4) 

(EXPAND "pass.on.flight") 

(INST-CP 2 "all") 

(INST 2 "b! 1") 

(ASSERT)) 

("2" (HIDE 3 4) 

(EXPAND "pass.on.flight") 
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(INST-CP 2 "all") 

(INST 2 "b! 1") 

(ASSERT) 

(PROPAX)))) 

("2" (ASSERT) (ASSERT) (PROPAX)))) 

This completes the two lemmas. 

3.2.3 Proof of Theorem 

We now must show that these two lemmas imply Make_assn_inv. This is very straight forward and 
the details are left to the reader. Hint: M-x edit-pr on this theorem gives 

("" (SKOSIMP) 

(EXPAND "assn.invariant") 

(LEMMA "MAe") 

(INST -1 "fltll " "pas ! 1 " "prefll " "sl!l") 

(LEMMA "MAu") 

(INST -1 "fltll " "pas 11 11 "prefll " "sill") 

(GROUND)) 

3.3 Proof that the Initial State Satisfies the Invariant 

It is necessary to show that the initial state of the system satisfies the invariant. This together with 
the invariant-preserving properties about the operations are sufficient to establish that the system 
will always preserve the invariant. The needed theorem for the initial state is: 

initial_state_inv: THEOREM assn_invariant(initial_state) 

This theorem is easy to prove. In fact, the PVS strategy for proving TCCs almost proves it without 
help. This strategy is automatically invoked when one issues a M-x tcp command to prove the 
TCCs. However, this strategy is also available during interactive proof by typing (TCC): 

initial_state_inv : 

I- 

{1} assn.invariant (initial.state) 

Rule? (TCC) 

Rewriting initial.state(flt) to emptyset [seat.assignment] . 

Rewriting emptyset [seat.assignment] (a) to FALSE. 

Rewriting member(a, emptyset [seat.assignment]) to FALSE. 

Rewriting existence(initial.state) to 

(FORALL (a: seat.assignment), (fit: flight): TRUE). 

Rewriting initial.state(flt) to emptyset [seat.assignment] . 

Rewriting emptyset [seat.assignment] (a) to FALSE. 

Rewriting member(a, emptyset [seat.assignment]) to FALSE. 

Rewriting initial.state(flt) to emptyset [seat.assignment] . 

Rewriting emptyset [seat.assignment] (b) to FALSE. 

Rewriting member(b, emptyset [seat.assignment]) to FALSE. 
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Rewriting uniqueness (initial.state) to 

(FORALL (a: seat.assignment), (b: seat.assignment), (fit: flight): TRUE). 
Rewriting assn_invariant(initial_state) to 

(FORALL (a: seat.assignment), (fit: flight): TRUE) 

AND (FORALL (a: seat.assignment), (b: seat.assignment), (fit: flight): TRUE) 

Trying repeated skolemization, instantiation, and if-lifting, 
this yields 2 subgoals: 
initial.state.inv. 1 : 

| 

{1} (FORALL (a: seat.assignment), (fit: flight): TRUE) 

The TCC strategy has created two subgoals. Each of these are completed by issuing a single SKOSIMP 
command: 

Rule? (SKOSIMP) 

For the top quantifier in 1, we introduce Skolem constants: (a ! 1 fltil) 
this simplifies to: 
initial.state.inv. 1 : 

I 

{1} TRUE 

which is trivially true. 

This completes the proof of initial.state.inv. 1. 
initial.state.inv. 2 : 

| 

{1} (FORALL (a: seat.assignment), (b: seat.assignment), (fit: flight): TRUE) 
Rule? (SKOSIMP) 

For the top quantifier in 1, we introduce Skolem constants: (a!i b!l fltil) 
this simplifies to: 
initial.state.inv. 2 : 

I- - 

{1} TRUE 

which is trivially true. 

This completes the proof of initial.state.inv. 2. 

Q.E.D. 
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Run time = 3.78 secs. 

Real time * 5.74 secs. 

NIL 

> 

3.4 Proof of one_per_seat Invariant 

The third invariant of the system has not been dealt with in the previous sections. As mentioned 
earlier, the proofs of these theorems are left to the reader for an exercise. The required theorems 
for the Cancel_assn and Make.assn operations are 

Cancel_inv_one_per_seat: THEOREM one_per_seat(sl) 

IMPLIES one_per_seat (Cancel_assn(f It ,pas , si) ) 


Make_inv_one_per_seat: THEOREM one_per_seat(sl) 

IMPLIES one_per_seat (Make_assn(f It ,pas ,pref ,sl) ) 

initial_one_per_seat: THEOREM one_per_seat(initial_state) 

An additional property about the uninterpreted function Next-seat must be added to the specifi- 
cation in order to prove Make_inv_one_per_seat: 

Next_seat_ax_2: AXIOM (FORALL a: member(a,sl(flt)) IMPLIES 

seat(a) /= Next_seat(sl, fit, pref)) 

3.5 System Properties and Putative Theorems 

Usually there are several types of system properties that are of interest to formalize and prove: 

1. Properties about critical system operation derived from high level requirements 

2. Putative theorems used to confirm our understanding of the specified system 

An example of (2) is the property that if the system is in state si, and we make a seat assignment 
and then immediately cancel it, we should return to the same system state: 

Make_Cancel: THEOREM NOT pass_on_flight(pas,flt,sl) => 

Cancel_assn(flt,pas,Make_assn(flt,pas,pref ,sl)) = si 

The proof of this theorem involves several new concepts not encountered in the previous proofs. 
The novice reader is encouraged to continue working at the terminal, while reading the following 
proof. A key difference in this proof is the need to establish the equality of functions. This requires 
the use of “extensionality” axioms provided by PVS. We issue the M-x pr command: 

Make.Cancel : 

I- 

{1} (FORALL (fit: flight), (pas: passenger), 

(pref: preference), (si: assn.state) : 

NOT pass_on_f light (pas, fit, si) 

*> Cancel_assn(flt, pas, Make_assn(flt, pas, pref, si)) ■ si) 
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As always we skolemize with SKOSIMP : 

Rule?: (SKOSIMP) 

For the top quantifier in 1, we introduce Skolero constants: (fltil pas!i prefll si! 1) 
this simplifies to: , 

Make.Cancel : ; 

| 

{1} NOT pass_on_f light (pas ! 1 , fltil, sill) 

=> Cancel_assn(flt! 1, pasll, Make_assn(f It ! 1 , pas!l, prefll, sill)) 

= sill 

Applying disjunctive simplification to flatten sequent, 
this simplifies to: 

Make.Cancel : 

I 

{1} pass_on_f light (pas! 1, fltil, si ! 1) 

{2} Cancel_assn(f It ! 1 , pasll, Make_assn(flt! 1, pasll, prefll, sill)) ■ sill 


We expand Cancel_assn, pas s_on_f light and Make.assn: 

Rule?: (EXPAND "Cancel.assn") 

Expanding the definition of Cancel.assn 
this simplifies to: 

Make.Cancel : 


[1] pass.on.f light (pas! 1, fltil, sill) 

{2} Make_assn(flt! 1, pasll, prefll, sill) 

WITH [fit II : = 

{a: seat .assignment | 

member(a, Make_assn(flt! 1, pasll, prefll, sl!l)(flt!l)) 

AND pass (a) /- pasll}] 

= sill 

Rule?: (EXPAND "pass.on.f light") 

Expanding the definition of pass.on.flight 
this simplifies to: 

Make.Cancel : 

I - 

{1} (EXISTS (a: seat.assignment) : pass(a) * pasll AND member(a, si! l(fltll))) 

[2] Make_assn(flt 1 1 , pasll, prefll, sill) 

WITH [fltil :» 

{a: seat.assignment I 

member(a, Make_assn(flt!l, pasll, prefll, si II) (fit II)) 
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\ 

\ 

AND pass (a) /= pas!l>] 

* si ! 1 

* 

Rule?: (EXPAND "Make. assn") 

Expanding the definition of Make.assn 
this simplifies to: 

Make.Cancel : 


[1] (EXISTS (a: seat .assignment) : pass(a) =pas!l AND member (a, s 1 ! 1 (fit ! 1 ) ) ) 
{2} IF pref _f illed(sl ! 1 , flt!l, prefll) 

OR pass.on.f light (pas ! 1 , flt!l, sill) THEN sl!l 
ELSE sill 

WITH [fit ! 1 :* 

add((# seat : = Next_seat(sl! 1, flt!l, prefll), pass : = pas 11 
#), sllKfltll))] 

ENDIF 

WITH [fit 11 : = 

{a: seat.assignment I 
member (a, 

IF pref.f illed(sl ! 1 , fltll, prefll) 

OR pass.on.f light (pas 1 1 , fltll, sill) THEN sill 
ELSE sill 

WITH [fltll :■ 

add((# seat := Next_seat(sl! 1, fltll, prefll), 
pass := pas! 1 
#), sllKfltll))] 

ENDIF(fltll)) 

AND pass (a) /= pas!l>] 

* sill 

We issue an (AUTO-REWRITE-THEORY "sets [seat .Assignment]") directive to the prover: 

Rule?: (AUTO-REWRITE-THEORY "sets [seat.assignment] ") 

Adding rewrites from theory sets [seat.assignment] 

Adding rewrite rule member 
Adding rewrite rule union 
Adding rewrite rule intersection 
Adding rewrite rule difference 
Adding rewrite rule add 
Adding rewrite rule remove 
Adding rewrite rule singleton 
Adding rewrite rule subset? 

Adding rewrite rule strict.subset? 

Adding rewrite rule empty? 

Adding rewrite rule emptyset 
Adding rewrite rule nonempty? 

Adding rewrite rule fullset 
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Adding rewrite rule disjoint? 

Adding rewrite rule extensionality 
Auto-rewritten theory sets[seat_assignment] 

Rewriting relative to the theories: 
sets[seat_assignment] , 

NIL, 

NIL, 

this simplifies to: 

Make. Cancel : 

| 

[1] (EXISTS (a: seat .assignment) : pass(a) = pas!l AND memberCa, si! l(fltli))) 

[2] IF pref _f illed(sl ! i , flt!l, prefll) 

OR pass.on.f light (pas ! 1 , flt!l, sl!l) THEN sl!l 
ELSE sill 

WITH [fit ! 1 :» 

add((# seat := Next_seat(sl ! 1 , fltll, pref!l), pass := pasll 
#), si ! l(f It ! 1) )] 

END IF 

WITH [fltll := 

{a: seat. assignment I 
member (a, 

IF pref _f illed(sl ! 1 , fltll, prefll) 

OR pass.on.f light (pas ! 1 , fltll, sill) THEN sill 
ELSE sill 

WITH [fltll :■ 

add((# seat := Next_seat(sl 1 1 , fltll, prefll), 
pass := pas! 1 
#), slll(fltll))] 

ENDIF(fltll)) 

AND pass (a) /= pas!l>] 

= sill 

Since the IF THEN ELSE is not at the highest level in formula [2], we issue a LIFT-IF command: 
Rule?: (LIFT-IF 2) 

Lifting IF-conditions to the top level, 
this simplifies to: 

Make.Cancel : 

I 

[lj (EXISTS (a: seat .assignment) : pass(a) ■ pasll AND member(a, si!i(flt! 1))) 
{2} IF pref.f illed(sl 1 1, fltll, prefll) OR pass.on.f light (pas 1 1 , fltll, sill) 
THEN sill 

WITH [fltll :* 

{a: seat. assignment | member(a, slll(fltll)) AND pass(a) /= pasll}] 

■ si 1 1 

ELSE 
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si! 1 

WITH [fit ! 1 :■ 

add((# seat := Next. seat (si ! 1 , fltll, prefll), pass := pas!l 
#), si ! l(flt ! 1))] 

WITH [fit ! 1 :* 

{a: seat. assignment I 
member (a, 

sill 

WITH [fltll := 

add((# seat :■ Next.seat(sl! 1, fltll, pref!l), 
pass : = pas! 1 
#), si ! 1 (fit ! 1) )] (fit ! 1) ) 

AND pass (a) /= pas!l>] 

* si ! 1 
ENDIF 

Since the IF THEN ELSE is on the conclusions side of the sequent, it is equivalent to a conjunction. 
Thus, we use a SPLIT command: 

Rule?: (SPLIT 2) 

Splitting conjunctions, 
this yields 2 subgoals: 

Make.Cancel . 1 : 


{1} pref _f illed(si ! 1 , flt!l, prefil) OR pass_on_f light (pas! 1, fltll, sl!l) 

IMPLIES sill 
WITH [fltll :* 

-Ca: seat.assignment I member(a, sl!l(flt!l)) AND pass(a) /« pas!l>] 
= Bill 

[2] (EXISTS (a: seat.assignment): pass(a) ■ pas!l AND member(a, si! l(f It ! 1))) 
We remove the IMPLIES in formula {1} with a FLATTEN command: 

Rule?: (FLATTEN) 

Applying disjunctive simplification to flatten sequent, 
this simplifies to: 

Make.Cancel . 1 : 

{-1} pref.f illed(sl! 1, fltll, pref!l) OR pass.on.f light (pas! 1, fltll, sill) 


{1} sill 

WITH [fltll :« 

{a: seat.assignment | member (a, slll(fltll)) AND pass(a) /* pasll}] 

* sill 

[2] (EXISTS (a: seat.assignment): pass(a) ■ pasll AND member (a, si! l(flt! 1))) 

We notice that formula {1} states that two functions are equal 13 . In PVS one proves the equality of 
functions using extensionality axioms. These are axioms of the form f = g IFF Vx : f(x) = g(x). 

13 slli is a lunctionff light -> ilight^ssignaente]. 
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Thus, to prove f — g, it is sufficient to prove that f(x) = g(x) for all values of x. In order to bring 
the appropriate axiom into the sequent, one uses the APPLY-EXTENSIONALITY command: 

Rule?: (APPLY-EXTENSIONALITY 1) 

Rewriting member(a, sl!l(flt!l)) to si ! l(flt ! 1) (a) . 

Rewriting member (x, 
si ! 1 

WITH [fit ! 1 := 

•[a: s e at _ as s ignment | si ! l(flt ! 1) (a) AND pass(a) /= pas ! 1>] (x ! 1) ) 

to si ! 1 

WITH [fit ! 1 := 

{a: seat.assignment | si! l(flt! 1) (a) AND pass(a) /= pas! 1>] (x! 1) (x) . 
Rewriting member (x, si! 1 (x ! 1> ) to si ! 1 (x ! 1) (x) . 

Rewriting member(a, sl!l(flt!l)) to si ! l(flt ! 1) (a) . 

Rewriting member(a, si ! 1 (fit ! 1) ) to si ! 1 (f It ! 1) (a) . 

Rewriting member (x, 
si ! 1 

WITH [fltil :* 

{a: seat .assignment | si! 1 (fltil) (a) AND pass (a) /- pas! 1>] (x! 1)) 

to si ! 1 

WITH [fltil := 

{a: s e at . as s ignment | si ! l(flt ! 1) (a) AND pass(a) /= pas! 1>] (x! 1) (x) . 
Rewriting member (x, sl!l(x!l)) to si ! 1 (x ! 1) (x) . 

Applying extensionality , 
this simplifies to: 

Make.Cancel . 1 : 

[-1] pref.f illed(sl ! 1 , fltil, prefil) OR pass.on.f light (pas ! 1 , fltil, sl!l) 

I 

{1} si ! 1 

WITH [fltil := 

■[a: seat. assignment | si ! l(flt ! 1) (a) AND pass(a) /= pas!l>](x!l) 

» si ! l(x! 1) 

{2> si ! 1 

WITH [fltil : = 

{a: seat. assignment | si ! l(flt ! 1) (a) AND pass(a) /» pas!l>] 

= si ! 1 

{3> (EXISTS (a: seat.assignment) : pass(a) = pas!l AND si! l(flt ! 1) (a)) 

Notice that this command has added the formula {1} to the sequent. Usually it is easier to prove 
formulas like {1} than formulas like [2]. We will not be needing formula [2] any more, so we hide 
it to keep the clutter down. This is accomplished by the HIDE command: 

Rule?: (HIDE 2) 

Hiding formulas: 2, 

this simplifies to: 

Make.Cancel . 1 : 

[-1] pref.f illed(sl ! 1, fltil, prefil) OR pass.on.f light (pas! 1, fltil, slil) 
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[ 1 ] 


si ! 1 

WITH [fit ! 1 := 

{a: seat .assignment | si ! l(flt ! 1) (a) AND pass(a) /* pas!l}](x!l) 

« si! l(x! 1) 

[2] (EXISTS (a: seat.assignment): pass(a) = pas!l AND si ! l(flt ! 1) (a)) 

The equality in formula [1] is trivial except for sl!l(flt!l), so we case split on fit! 1 » x!l: 

Rule?: (CASE "flt!l = x!l") 

Case splitting on 
fit ! 1 * x! 1 , 

this yields 2 subgoals: 

Make.Cancel . 1 . 1 : 

{-1} fit ! 1 - x! 1 

[-2] pref _f illed(sl ! 1 , flt!l, prefil) OR pass.on.f light (pas! 1, flt!l, sl!l) 

I-- 

[1] si ! 1 

WITH [fit ! 1 := 

{a: seat .assignment I si! 1 (fit! 1) (a) AND pass(a) /* pas! 1}] (x! 1) 

■ si! l(x! 1) 

[2] (EXISTS (a: seat.assignment) : pass(a) * pas!l AND si! l(flt ! 1) (a)) 

We simplify with ASSERT : 

Rule? : (ASSERT) 

Rewriting member (x, {a: seat.assignment | sl!l(flt!l)(a) AND pass(a) /= pas!l>) 
to si ! l(flt ! 1) (x) AND pass(x) /- pas!l. 

Rewriting member (x, sl!l(x!l)) to si ! 1 (x ! 1) (x) . 

Invoking decision procedures, 
this simplifies to: 

Make.Cancel .1.1 : 

[-1] fit ! 1 ■ x! 1 

[-2] pref _f illed(sl ! 1 , flt!l, prefil) OR pass.on.f light (pas ! 1 , flt!l, si ! 1) 

I 

{1} ({a: seat.assignment | si! 1 (fit ! 1) (a) AND pass(a) /■ pas!l>) ■ sl!l(x!l) 

[2] (EXISTS (a: seat.assignment): pass(a) * pas!l AND sl!l(flt!l)(a)) 

We remember that sets in PVS are just functions into bool, so formula {1} involves the equality 
of two functions. As before we invoke the APPLY-EXTENSIONALITY command to introduce the 
appropriate axiom into the sequent: 

Rule?: (APPLY-EXTENSIONALITY 1) 

Rewriting member (x, {a: seat.assignment I si! l(flt! 1) (a) AND pass(a) /■ pas!l» 
to sl!l(flt!l)(x) AND pass(x) /* pasil. 

Rewriting member (x, sl!l(x!l)) to si ! 1 (x ! 1) (x) . 

Rewriting member(x, {a: seat.assignment | si ! l(flt ! 1) (a) AND pass(a) /■ pasil}) 
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to Sl!i(flt!l)(x) AND pass(x) /= pasll. 

Rewriting member(x, sl!l(x!l)) to si ! 1 (x ! 1) (x) . 

Applying extensionality , 
this simplifies to: 

Make_Cancel .1.1 : 

[-1] fit ! 1 = x! 1 

[-2] pref _f illed(sl ! 1 , fltll, prefll) OR pass.on.f light (pas ! 1 , flt!l, sl!l) 


{1} (si ! l(flt ! 1) (x!2) AND pass(x!2) /= pasll) = si ! l(x! 1) (x! 2) 

[2] ({a: seat.assignment I si ! l(flt ! 1) (a) AND pass (a) /= pasll}) = slll(xll) 

[3] (EXISTS (a: seat.assignment) : pass(a) = pasll AND si 1 1 (f It 1 1) (a) ) 

We won’t need formula [2], so we hide it. 

Rule?: (HIDE 2) 

Hiding formulas: 2, 

this simplifies to: 

Make_Cancel . 1 . 1 : 

[-1] fltll = x! 1 

[-2] pref_f illed(sl 1 1 , fltll, prefll) OR pass_on_f light (pas! 1, fltll, sill) 


[1] (si I l(f It 1 1) (x! 2) AND pass(x! 2) /= pasll) = si I l(x! 1) (x 1 2) 

[2] (EXISTS (a: seat.assignment) : pass(a) = pasll AND si I l(flt 1 1) (a)) 

We notice that slll(xll) appears in formula [1], while sl!l[flt!l] appears in formula [2]. 
Formula [-1] tells us that fit II = x 1 1, so we replace formulas [1] and [2] with [-1]: 

Rule?: (REPLACE -1 * RL) 

Replacing using formula -1, 
this simplifies to: 

Make.Cancel . 1 . 1 : 

[-1] fltll = x! 1 

[-2] pref _f illed(sl 1 1 , fltll, prefll) OR pass_on_f light (pas 1 1 , fltll, sill) 
I- 

{1} (sill (fit 1 1) (x 1 2) AND pass(x!2) /= pasll) * sl!l(flt!l)(x!2) 

[2] (EXISTS (a: seat.assignment) : pass (a) ■ pasll AND si! 1 (fit 1 1) (a)) 

To match formula [2] with formula [1], we instantiate formula [2]’s existential quantifier with x!2: 

Rule?: (INST 2 "x!2") 

Instantiating the top quantifier in 2 with the terms: 
x!2 

this simplifies to: 

Make.Cancel .1.1 : 

[-1] fltll = x! 1 

[-2] pref _f illed(sl 1 1 , fltll, prefll) OR pass.on.f light (pas 1 1 , fltll, sill) 
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[1] (si ! 1 (fit ! 1) (x ! 2) AND pass(x!2) /= pasll) * si ! l(flt ! 1) (x ! 2) 

{2} pass (x! 2) * pas!l AND si ! l(f It ! 1) (x!2) 

We now finish off this sequent with GROUND: 

Rule?: (GROUND) 

Applying propositional simplification and decision procedures. 

This completes the proof of Make.Cancel . 1 . 1 . 

Make.Cancel. 1.2 : 

[-1] pref _f illed(sl ! 1 , flt!l, prefll) OR pass_on_f light (pas ! 1 , fltll, sl!l) 

I- 

{1} fltll - xll 

[2] si ! 1 

WITH [fltll := 

■[a: seat.assignment I si ! l(flt 1 1) (a) AND pass(a) /= pas!l>](x!l) 

* si! l(x! 1) 

[3] (EXISTS (a: seat .assignment) : pass (a) = pas 11 AND si! 1 (fit! 1) (a)) 

The prover now turns our attention to Make_Cancel .1.2. We issue an ASSERT: 

Rule?: (ASSERT) 

Invoking decision procedures. 

This completes the proof of Make.Cancel.1.2. 


This completes the proof of Make.Cancel . 1 . 

Make_Cancel.2 : 

I- 

{1} NOT 

(pref _f illed(sl ! 1 , fltll, prefll) 

OR pass_on_flight(pas!l, fltll, sill)) 

IMPLIES 

sill 

WITH [fltll :* 

add((# seat := Next_seat(sl 1 1 , fltll, prefll), pass :■ pas 11 
#), slll(fltll))] 

WITH [fltll :■ 

(a: seat.assignment | 
member (a, 

sill 

WITH [fltll :■ 

add((t seat :■ Next.seat (si ! 1 , fltll, prefll), 
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pass := pas! 1 

#), si ! l(f It ! 1) )] (fit! 1)) 

AND pass (a) /= pas!l>] 

= si! 1 

[2] (EXISTS (a: seat.assignment) : pass(a) = pas!l AND member (a, si ! l(flt ! 1) ) ) 

That finishes off Make_Cancel . 1 . 2 and consequently Make-Cancel . 1. We are now working on 
Make_Cancel .2. We issue a GROUND command: 

Rule?: (GROUND) 

Rewriting member (a, s 1 ! 1 (fit ! 1) ) to si ! l(f It ! 1) (a) . 

Rewriting add((# seat : = Next_seat(sl ! 1 , flt!l, prefll), pass := pas!l #) , 

si ! l(flt ! 1)) (a) to (# seat := Next_seat(sl! 1, flt!l, prefll), pass : = pas!l #) 
« a OR si ! l(f It ! 1) (a) . 

Rewriting member(a, 

add((# seat := Next_seat(sl ! 1 , fit ! 1 , prefll), pass := pasll #) , 
sllKflt! 1))) to (# seat := Next_seat(sl 1 1, fltll, prefll), pass := pasll #) 

* a OR sill (fit 1 1) (a) . 

Rewriting raember(a, slll(fltll)) to si I l(f It! 1) (a) . 

Applying propositional simplification and decision procedures, 
this simplifies to: 

Make_Cancel . 2 : 


{1} pref.f illed(sl 1 1 , fltll, prefll) 

{2} pass_on_f light(pas 1 1 , fltll, sill) 

{3} sill 

WITH [fltll :• 

add((# seat := Next_seat(sl 1 1 , fltll, prefll), pass := pasll 
#), slll(fltll))] 

WITH [fltll := 

{a: seat .assignment | 

((# seat := Next_seat(sl 1 1 , fltll, prefll), pass := pasll #) ■ a 
OR si I l(flt 1 1) (a) ) 

AND pass (a) /- pasll}] 

= sill 

{4} (EXISTS (a: seat .assignment) : pass(a) = pasll AND si! l(flt 1 1) (a)) 

Since formula {3} involves the equality of two functions, we issue an APPLY-EXTENSIONALITY com- 
mand: 

Rule?: (APPLY-EXTENSIONALITY 3) 

Rewriting member(x, 
sill 

WITH [fltll := 

add((# seat := Next_seat(sl 1 1 , fltll, prefll), pass :* pasll 
#), slll(fltll))] 

WITH [fltll :« 

{a: seat .assignment | 
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((# seat := Next_seat(sl! 1, flt!l, pref!l), pass :■ pasll #) ■ a 
OR si ! l(f It ! 1) (a) ) 

AND pass(a) /- pas! 1>] (x! 1)) to sl!l 
WITH [fit ! 1 := 

add((# seat := Next_seat(sl ! 1 , flt!l, prefll), pass :* pasll 
#), si ! 1 (fit ! 1) )] 

WITH [fit ! 1 := 

{a: seat .assignment | 

((# seat := Next_seat(sl ! 1 , flt!l, prefll), pass :» pasll #) ■ a 
OR slllCflt! l)(a)) 

AND pass (a) /= pas! 1>] (x! 1) (x) . 

Rewriting member (x, slll(xll)) to si 1 1 (x 1 1) (x) . 

Rewriting member (x, 
sill 

WITH [fit II : = 

add((# seat := Next_seat(sl! 1, fltll, prefll), pass :* pasll 
#), slll(fltll))] 

WITH [fltll :* 

{a: seat .assignment I 

((# seat := Next.seatCsl 1 1 , fltll, prefll), pass :® pasll #) * a 
OR si! l(flt! 1) (a)) 

AND pass (a) /= pas! 1>] (x! 1)) to sill 
WITH [fltll := 

add((# seat := Next_seat(sl!l, fltll, prefll), pass :* pasll 
#), slll(fltll))] 

WITH [fltll :* 

{a: seat.assignment | 

((# seat := Next.seatCsl 1 1 , fltll, prefll), pass :■ pasll #) * a 
OR si I l(f It 1 1) (a) ) 

AND pass (a) /- pas 1 1>] (x! 1) (x) . 

Rewriting member (x, si 1 1 (x 1 1) ) to si 1 1 (x 1 1) (x) . 

Applying extensionality, 
this simplifies to: 

Make.Cancel . 2 : 

I 

{1} sill 

WITH [fltll := 

add((# seat := Next.seatCsl! 1, fltll, prefll), pass :■ pasll 
#), si 1 1 Cf It 1 1) )] 

WITH [fltll :* 

{a: seat.assignment | 

((# seat := Next.seatCsl 1 1 , fltll, prefll), pass :■ pasll #) ■ a 
OR slUCfltlDCa)) 

AND passCa) /= pas! 1}] Cxll) 

- slllCxIl) 

[2] pref.filledCslIl, fltll, prefll) 
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[3] pass_on_f light (pas ! 1 , fit ! 1 , sill) 

[4] si ! 1 

WITH Cf It ! 1 := 

add((# seat := Next_seat(sl ! 1 , flt!l, prefil), pass := pas!l 
#), si ! 1 (fit 11))] 

WITH [fit ! 1 := 

{a: seat_assignment | 

((# seat : = Next_seat(sl ! 1 , flt!l, prefil), pass := pasil #) = a 
OR si ! 1 (fit ! 1) (a) ) 

AND pass (a) /= pasil}] 

» slil 

[5] (EXISTS (a: seat .assignment) : pass (a) = pasil AND si ! 1 (fit ! 1) (a)) 

We hide formula [4]: 

Rule?: (HIDE 4) 

Hiding formulas: 4, 

this simplifies to: 

Make.Cancel . 2 : 

| 

[1] slil 

WITH [fit ! 1 := 

add((# seat := Next_seat(sl ! 1 , fltil, prefil), pass := pasil 
#), slil(fltil))] 

WITH [fltil := 

{a: seat .assignment | 

((# seat := Next_seat(sl ! 1 , fltil, prefil), pass := pasil #) = a 
OR si ! l(flt ! 1) (a) ) 

AND pass(a) /= pas!l}](x!l) 

= slil(xil) 

[2] pref _f illed(sl ! 1 , fltil, prefil) 

[3] pass.on.f light (pas ! 1 , fltil, slil) 

[4] (EXISTS (a: seat.assignment) : pass(a) = pasil AND si! l(f It ! 1) (a)) 

Once again the function equality is trivial except for fltil = x! 1, so we case split: 

Rule?: (CASE "fltil = xil") 

Case splitting on 
fltil = xil, 

this yields 2 subgoals : 

Make.Cancel . 2 . 1 : 

{-1} fltil = xil 


[1] slil 

WITH [fltil :» 

add((# seat :■ Next_seat(sl ! 1 , fltil, prefil), pass :- pasil 
#), slil(fltil))] 
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WITH [fltll := 

{a: seat .assignment | 

((# seat := Next_seat(sl 1 1 , fltll, prefll), pass :■ pasll #) * a 
OR si ! 1 (fit ! 1) (a) ) 

AND pass (a) /= pas!l}](x!l) 

- sl!l(x!l) 

[2] pref _f illed(sl ! 1 , fltll, prefll) 

[3] pass_on_flight(pas! 1, fltll, sill) 

[4] (EXISTS (a: seat .assignment) : pass(a) = pasll AND si! l(flt!l)(a)) 

We simplify with ASSERT: 

Rule?: (ASSERT) 

Rewriting member (x, 

{a: seat .assignment I 

((# seat := Next_seat(sl 1 1 , fltll, prefll), pass :* pasll #) * a 
OR si I l(flt 1 1) (a)) 

AND pass(a) /= pasll}) to ((# seat : = Next_seat(sl 1 1 , fltll, prefll), 
pass := pas II#) ■ x 
OR si I l(flt 1 1) (x)) AND pass(x) /= pasll. 

Rewriting member (x, slll(xll)) to si 1 1 (x 1 1) (x) . 

Invoking decision procedures, 
this simplifies to: 

Make.Cancel .2 . 1 : 

[-1] fltll = x 1 1 


{1} ({a: seat .assignment I 

((# seat := Next_seat(sl 1 1 , fltll, prefll), pass :■ pasll #) * a 
OR si I l(flt 1 1) (a)) 

AND pass (a) /= pasll}) 

* sill (x 1 1 ) 

[2] pref _f illed(sl 1 1, fltll, prefll) 

[3] pass.on.f light (pas 1 1 , fltll, sill) 

[4] (EXISTS (a: seat.assignment) : pass(a) = pasll AND si! l(flt 1 1) (a)) 

Once again we have a formula that involves the equality of two functions, one of which is a set. 
Thus, we issue an APPLY-EXTENSIONALITY command followed by the usual HIDE command: 

Rule?: (APPLY-EXTENSIONALITY 1) 

Rewriting member (x, 

{a: seat.assignment | 

((# seat :* Next.seat (si 1 1, fltll, prefll), pass :* pasll #) ■ a 
OR si I l(flt 1 1) (a)) AND pass(a) /- pasll}) 
to ((# seat := Next.seat (si 1 1 , fltll, prefll), pass :* pasll #) * x 
OR si! l(flt! l)(x)) AND pass(x) /- pasll. 

Rewriting member (x, slll(xll)) to si 1 1 (x 1 1) (x) . 

Rewriting member (x, 

{a: seat.assignment I 
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((# seat := Next_seat(sl 1 1 , fltll, prefll), pass := pasll #) = a 
OR si I l(flt 1 1) (a)) AND pass(a) /= pasll}) 
to ((# seat := Next.seat (si 1 1 , fltll, prefll), pass : = pasll #) - x 
OR si I l(flt 1 1) (x) ) AND pass(x) /= pasll. 

Rewriting member(x, slll(xll)) to si 1 1 (x! 1) (x) . 

Applying extensionality , 
this simplifies to: 

Make.Cancel . 2 . 1 : 

[-1] fltll = x 1 1 
| 

{1} (((# seat : = Next_seat(sl 1 1 , fltll, prefll), pass := pasll #) = x!2 

OR sill (fit 1 1) (x! 2) ) 

AND pass(x!2) /= pasll) 

■ slll(xll) (x 1 2 ) 

[2] ({a: seat.assignment I 

((# seat :* Next_seat(sl 1 1 , fltll, prefll), pass := pasll #) = a 
OR si I l(f It 1 1) (a) ) 

AND pass(a) /= pasll}) 

= slll(xll) 

[3] pref _f illed(sl 1 1 , fltll, prefll) 

[4] pass_on_f light (pas 1 1 , fltll, sill) 

[5] (EXISTS (a: seat_assignment) : pass(a) = pasll AND si 1 1 (f It 1 1) (a) ) 

Rule?: (HIDE 2) 

Hiding formulas: 2, 

this simplifies to: 

Make.Cancel . 2 . 1 : 

[-1] fltll = x 1 1 


[1] (((# seat := Next_seat(sl 1 1 , fltll, prefll), pass := pasll #) = x!2 

OR si ! l(f It ! 1) (x!2) ) 

AND pass (x 1 2) /= pasll) 

= si! l(x! 1) (x!2) 

[2] pref_filled(sl! 1, fltll, prefll) 

[3] pass_on_flight(pas!l, fltll, sill) 

[4] (EXISTS (a: seat.assignment) : pass(a) = pasll AND si! 1 (fit 1 1) (a)) 

As in past cases we take advantage of formula [1] using the REPLACE command 14 . 

Rule?: (REPLACE -1 * RL) 

Replacing using formula -1, 
this simplifies to: 

Nake.Cancel . 2 . 1 : 

14 The PVS decision procedures are powerful enough to prove this sequent and the previous one even if the REPLACE 
commands are omitted. Nevertheless, often the discovery of a proof is easier when the REPLACE command is used in 
situations such as these. 
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[-1] fltll * x!l 

I 

{1} (((# seat := Next_seat(sl 1 1 , fltll, prefll), pass :* pasll #) * x!2 

OR si I l(f It ! 1) (x! 2)) 

AND pass (x 12) /= pasll) 

» si I l(f It 1 1) (x 12) 

[2] pref.f illed(sl 1 1 , fltll, prefll) 

[3] pass_on_f light (pas ! 1, fltll, sill) 

[4] (EXISTS (a: seat .assignment) : pass(a) * pasll AND si I l(flt 1 1) (a)) 

To match the si I l(flt 1 1) (x!2) in formula [1] with the sl!l(flt!l)(a) in formula [4], we in- 
stantiate formula [4] : 

Rule?: (INST 4 "x!2") 

Instantiating the top quantifier in 4 with the terms: 
x!2 

this simplifies to: 

Make.Cancel . 2 . 1 : 

[-1] fltll * x 1 1 
| 

[1] (((# seat := Next.seat(sl 1 1, fltll, prefll), pass :■ pasll #) * x!2 

OR si I l(f It 1 1) (x!2) ) 

AND pass (x 1 2) /= pasll) 

- si I l(flt! 1) (x!2) 

[2] pref _f illed(sl 1 1 , fltll, prefll) 

[3] pass.on.f light (pas 1 1 , fltll, sill) 

{4} pass(x!2) * pasll AND si I l(flt 1 1) (x!2) 

We have now reached the point where one must know that PVS’s decision procedures are not 
complete for equality over the booleans. Thus, it is necessary to convert the ■ in formula [1] to an 
IFF. This is done using the IFF command: 

Rule?: (IFF 1) 

Converting top level boolean equality into IFF form. 

Converting equality to IFF, 
this simplifies to: 

Make.Cancel . 2 . 1 : 

[-1] fltll - xll 


{1} ((# seat :* Next_seat(si!i, fltll, prefll), pass :■ pasll #) ■ x!2 

OR si I l(f It 1 1) (x! 2)) 

AND pass (x 1 2) /= pasll 
IFF si I l(f It 1 1) (x! 2) 

[2] pref _f illed(sl 1 1, fltll, prefll) 

[3] pass.on.f light (pas! 1, fltll, sill) 

[4] pass (x 1 2) ■ pasll AND si 1 1 (fit 1 1) (x 1 2) 
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Now the decision procedures can finish off this sequent: 

Rule?: (GROUND) 

Applying propositional simplification and decision procedures. 
This completes the proof of Make_Cancel.2.1. 

Make.Cancel . 2 . 2 : 


{1} fltll = x! 1 

[2] si ! 1 

WITH [fltll := 

add((# seat := Next_seat(sl ! 1 , fltll, prefll), pass := pasll 
#), slll(fltll))] 

WITH [fltll :* 

{a: seat .assignment I 

((# seat := Next_seat(sl 1 1, fltll, prefll), pass := pasll #) = a 
OR si I l(flt 1 1) (a) ) 

AND pass (a) /= pas ! 1}] (x! 1) 

= slll(xll) 

[3] pref_filled(sl!l, fltll, prefll) 

[4] pass_on_f light (pas! 1, fltll, sill) 

[5] (EXISTS (a: seat.assignment) : pass(a) = pasll AND si! 1 (fit 1 1) (a)) 

This completes Make.Cancel . 2 . 1 and we are directed to work on Make_Cancel .2.2. An ASSERT 
finishes off this branch and the whole proof: 

Rule? (ASSERT) 

Invoking decision procedures. 

This completes the proof of Make.Cancel. 2. 2. 


This completes the proof of Make.Cancel. 2. 
Q.E.D. 


Run time = 49.55 secs. 

Real time = 61.22 secs. 

M-x edit-pr displays the following complete proof: 

("" (SKOLEM 1 

("fltll" "pasll" "prefll" "sill")) 
(FLATTEN) 

(EXPAND "Cancel.assn") 
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(EXPAND "pass.on.f light") 

(EXPAND "Make.assn") 

(AUTO-REWRITE-THEORY "sets [seat.assignment] ") 

(LIFT-IF 2) 

(SPLIT 2) 

(("1" (FLATTEN) 

(APPLY-EXTENSIONALITY 1) 

(HIDE 2) 

(CASE "fit ! 1 = x! 1") 

(("1" (ASSERT) 

( APPLY-EXTENSIONALITY 1 ) 

(HIDE 2) 

(REPLACE -1 * RL) 

(INST 2 "x!2") 

(GROUND) ) 

("2" (ASSERT)))) 

("2" (GROUND) 

(APPLY-EXTENSIONALITY 3) 

(HIDE 4) 

(CASE "fit ! 1 - x! 1") 

(("1" (ASSERT) 

(APPLY-EXTENSIONALITY 1) 

(HIDE 2) 

(REPLACE -1 * RL) 

(INST 4 "x!2") 

(IFF 1) 

(GROUND)) 

("2" (ASSERT)))))) 

We issue a H-x prt on the theory. All of the proofs are successful — the system reports: 

Proof summary for theory ops 

Cancel_assn_inv 

MAe 



Make.assn. inv 

Make.Cancel 

initial.state.inv 

Theory totals: 6 formulas, 6 attempted, 6 succeeded. 

The following putative theorems are left as exercises for the reader: 

Make.putative: THEOREM NOT pref.f illed(sl, fit, pref) •> 

(EXISTS (x: seat.assignment) : 

member(x, Make_assn(flt, pas, pref, sl)(flt)) AND pass(x) * pas) 

Cancel.putative: THEOREM 

NOT (EXISTS (a: seat.assignment): 

member(a,Cancel_assn(flt,pas,sl)(flt)) AND pass(a) ■ pas) 


proved - complete 
proved - complete 
proved - complete 
proved - complete 
proved - complete 
proved - complete 
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The ambitious reader should add the following definition to the ops theory: 

Lookup: function [flight, passenger, assn.state -> [row .position]] ■ 
(LAMBDA fit, pas, si: 

seat(epsilon( {a I member(a,sl(flt)) AND pass(a) * pas}))) 

and prove 


Lookup.putative: THEOREM NOT (pref _f illed(sl , fit, pref) OR 

pass_on_flight(pas,flt,sl)) => 

meets.pref (aircraft (fit) , 

Lookup(flt, pas, Make_assn(flt,pas,pref ,sl)) , 
pref) 


4 Summary 

A specification of an airline reservation system was formally specified using PVS. A state-machine 
approach was used to model this system. Two operations were defined and shown to maintain 
the state invariant. These proofs were accomplished using the PVS prover and discussed in detail. 
The technique of validating a specification via “putative theorem proving” was also discussed and 
illustrated in detail. 
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